97572bd57b08b59744e4dfe6f93fb96be4002dfe1aa78683771725401776464f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.19.exe
Size

972KB
MD5

90fd25ced85fe6db28d21ae7d1f02e2c
SHA1

e27eff4cd4d383f5c564cce2bd1aaa2ffe4ec056
SHA256

97572bd57b08b59744e4dfe6f93fb96be4002dfe1aa78683771725401776464f
SHA512

1c775cf8dfde037eaa98eb14088c70d74923f0f6a83030a71f2f4c1a4453f6154dab7a4aa175e429860badda3e5e0ae226f3c3e8171332f5962bf36f8aa073fa
SSDEEP

24576:DIbp4sZotkNjFC/4qxp+k+kPFoHZvPrSMc:cvotkNjg/lhqZvG

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	BootstrapperV1.19.exe

Loads dropped DLL 11 IoCs

pid	Process
3816	MsiExec.exe
3816	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe
4488	MsiExec.exe
3520	MsiExec.exe
3520	MsiExec.exe
3520	MsiExec.exe
3816	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
33	4128	msiexec.exe
35	4128	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	pastebin.com
20	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\init-package-json\lib\init-package-json.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\client\error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\lib\cp\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-test.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agentkeepalive\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\common-ancestor-path\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\safer-buffer\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\function-bind\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-root.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-token.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-dist-tag.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\warning_messages.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\sort.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\query\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\glob\common.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\eclipse.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\stream.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\compile_commands_json.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\has-flag\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\glob\glob.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\calc-dep-flags.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\writable.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\string-locale-compare\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\tools\emacs\run-unit-tests.sh	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\process-release.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\depd\History.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tuf\trustroot.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\sigstore_verification.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\valid.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-prefix.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-install-test.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tlog\format.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\remote.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\template-item.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\hosted-git-info\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\dist\types.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\response.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\completion.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\brace-expansion\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-rebuild.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\dsse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\dist\abort-controller.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\balanced-match\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\package-spec.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\search.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\num-args.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\relpath.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ieee754\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-profile\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\vendor\QRCode\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\installed-package-contents\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\stream.d.ts	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBB5.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e579aae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579aaa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F8E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA703.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD1E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0E8.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6D3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB37.tmp	msiexec.exe
File created	C:\Windows\Installer\e579aaa.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EEF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADBC.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717445107478155"	chrome.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4072	BootstrapperV1.19.exe
4072	BootstrapperV1.19.exe
4128	msiexec.exe
4128	msiexec.exe
2044	chrome.exe
2044	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	BootstrapperV1.19.exe
Token: SeShutdownPrivilege	636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	636	msiexec.exe
Token: SeSecurityPrivilege	4128	msiexec.exe
Token: SeCreateTokenPrivilege	636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	636	msiexec.exe
Token: SeLockMemoryPrivilege	636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	636	msiexec.exe
Token: SeMachineAccountPrivilege	636	msiexec.exe
Token: SeTcbPrivilege	636	msiexec.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeLoadDriverPrivilege	636	msiexec.exe
Token: SeSystemProfilePrivilege	636	msiexec.exe
Token: SeSystemtimePrivilege	636	msiexec.exe
Token: SeProfSingleProcessPrivilege	636	msiexec.exe
Token: SeIncBasePriorityPrivilege	636	msiexec.exe
Token: SeCreatePagefilePrivilege	636	msiexec.exe
Token: SeCreatePermanentPrivilege	636	msiexec.exe
Token: SeBackupPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeShutdownPrivilege	636	msiexec.exe
Token: SeDebugPrivilege	636	msiexec.exe
Token: SeAuditPrivilege	636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	636	msiexec.exe
Token: SeChangeNotifyPrivilege	636	msiexec.exe
Token: SeRemoteShutdownPrivilege	636	msiexec.exe
Token: SeUndockPrivilege	636	msiexec.exe
Token: SeSyncAgentPrivilege	636	msiexec.exe
Token: SeEnableDelegationPrivilege	636	msiexec.exe
Token: SeManageVolumePrivilege	636	msiexec.exe
Token: SeImpersonatePrivilege	636	msiexec.exe
Token: SeCreateGlobalPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeSecurityPrivilege	3136	wevtutil.exe
Token: SeBackupPrivilege	3136	wevtutil.exe
Token: SeSecurityPrivilege	4132	wevtutil.exe
Token: SeBackupPrivilege	4132	wevtutil.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe
Token: SeTakeOwnershipPrivilege	4128	msiexec.exe
Token: SeRestorePrivilege	4128	msiexec.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe
2044	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 636	4072	BootstrapperV1.19.exe	87
PID 4072 wrote to memory of 636	4072	BootstrapperV1.19.exe	87
PID 4128 wrote to memory of 3816	4128	msiexec.exe	90
PID 4128 wrote to memory of 3816	4128	msiexec.exe	90
PID 4128 wrote to memory of 4488	4128	msiexec.exe	91
PID 4128 wrote to memory of 4488	4128	msiexec.exe	91
PID 4128 wrote to memory of 4488	4128	msiexec.exe	91
PID 4128 wrote to memory of 3520	4128	msiexec.exe	95
PID 4128 wrote to memory of 3520	4128	msiexec.exe	95
PID 4128 wrote to memory of 3520	4128	msiexec.exe	95
PID 3520 wrote to memory of 3136	3520	MsiExec.exe	96
PID 3520 wrote to memory of 3136	3520	MsiExec.exe	96
PID 3520 wrote to memory of 3136	3520	MsiExec.exe	96
PID 3136 wrote to memory of 4132	3136	wevtutil.exe	98
PID 3136 wrote to memory of 4132	3136	wevtutil.exe	98
PID 2044 wrote to memory of 4900	2044	chrome.exe	111
PID 2044 wrote to memory of 4900	2044	chrome.exe	111
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 2952	2044	chrome.exe	112
PID 2044 wrote to memory of 4648	2044	chrome.exe	113
PID 2044 wrote to memory of 4648	2044	chrome.exe	113
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114
PID 2044 wrote to memory of 400	2044	chrome.exe	114

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding A90ABA9BD453555A96B7B1F93A8D0005
  2⤵
  - Loads dropped DLL
  PID:3816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C84BE9E5097112CD94C69396025AC18A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4488
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 92BAA59B13DFCBE81C21887489043993 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8ebcecc40,0x7ff8ebcecc4c,0x7ff8ebcecc58
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1996,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1976 /prefetch:3
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2232,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3816 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5160,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4696,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5328,i,9012900596284927908,8809245432433107819,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:1512

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579aad.rbs

Filesize
1.0MB

MD5
49269b4c7c460a6900a2979a305fef95

SHA1
231f6cbbb978b39eaf4010c1c0c01e3a123e3eca

SHA256
3702945d2d12c03513cce91e06544d5dffac58b2b6f9fc18781d84e6c4ff5ef1

SHA512
68921ffbd9990a146c9731c4f9dec509239142699742f8f6e62edc5681c6bba47629573043f83a445e290fc47b4777b39d03541c0b97b015db5ac9a361f74e55

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
2a6686d512ee9ba8b75e0bce9a794770

SHA1
465e00320c74d4481a5e7e7242aaeb60d02e2fab

SHA256
5afa5bcab0d66f0dc65ccad359650730ace53dff1d891cd33a9f54aa43d34419

SHA512
ff44d6f3e7be06c98077a00854edb0ca122fc5c98c976f86787c7b003d224f62c1079412e7c5cdb36c2a6df0825dd17ccbffe44eb264fa63e3d1e44654af74b2

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
76c12a5b61382278e795f85afc2268d1

SHA1
4cc52c66c69a45950eb59c2cfb83b85684fd1d32

SHA256
847645a481ac6391cc84d9e25a421afffbe6cb114970b118aedd4c57ffbd6123

SHA512
a9cbab5da4baa09f3e4199015d3fd3a6e0edcb7edbaa6671434ba9c084bf79a17b3af1d65747232774aa80b796f7868c90a692bff5ed5e2e4e1670e22c4b2e6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
86369d472033333d7d97dd1c471f2674

SHA1
2853db9b624065e179f5ba46f85d41bbec760466

SHA256
732c036bd280317e2f5006ad3b878b73fa95b611cff57d529ffc46855c17a1fd

SHA512
b7259e5d467d728c4d026a9879c3f43d5c5532f7d00e6f8c2b252acfa3c456fc6c1586b987df1cda6bd6e07f689e1e431dcd4978e05869acbe659b93dcbf249f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
d1067090158bb7432dfdcfefa27b6004

SHA1
c9acabbac28cd2c9c42d1b9a488d3c8e8a352d57

SHA256
457ba2444f85399eaa8a9d419bfc803329123cee48ebab6bcc16f705b235e230

SHA512
2ebcf3ae0cf5a857a06afc32cf3f35250286a90f24b1690c9ba1eaaf43c2da08057904cce035bbccdeb2566bb2b78240e672efd79ce67b5f0de3f0a4c8d37a27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
07d5cc7a03b2cfd44a8b378a46e31e8e

SHA1
1c5813554ef82d999e363f13dd04d4ecb11a425f

SHA256
f55bd338582a79ffa94911e3c1ea3ec48613bcea76abb687f66d3dad3c8e6e66

SHA512
5d4beee4b30571d7564611925c78086d71d0c29ca84cad29f99fe354b82c37677095455d5629fea4c5df43539576d016ec2be3383e50dbd22158c545dfce9130

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a7bc2e6fe50f5f79596db5080a562658

SHA1
def3a4d59ffe456924552a273d58a032308674b5

SHA256
59ab8237cddda0c7362cb7bbff161792566534b31711051345b9942c5b373458

SHA512
41faaefb23fdf713cdaa2b59b67863fcf8c39bacb781fa31cdd9f96691e26a55229593f1a1fc4adf0c4150323e91be06b5d3e7f491ba3bdf8365c193c7833eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
711bb8bcde8f1c3a29fe0736bb52b9fe

SHA1
f93c7265490568eae696afc1de345a8ded023374

SHA256
9b4dceba88f59ac1b12630a54f6ad2675cb33745db4cc2effa6e6d8d37cb5a46

SHA512
cbab29406cc6b8f82504b9d2dbb73bbc9c9941c5dcebe1d2ce38d7247947155aff771c7ac9a7b7002488c2831fcb7e5d2ab93d57b06dc77ab17e546b18d75070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22e60436cb3c1596b35211208b5ece4c

SHA1
ce5d34ffc353048e27275c7a5c9ed4e2c1380872

SHA256
c45a91590cb4682c7870c5e6c194105706a6d656022feb960a88626539ce8d9d

SHA512
b38b555480c14683fe73b8ca5253534bd333dbfe9d3ac5f52b13ca76286066d4ef6c304c39f4162423593b4d723e9c946d460cbdeeff7407b5910ffa6c85d181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
aa2cbc33531c37edc626c172c5d35f4b

SHA1
b5fa8b08ae5b00cd516fada9a92c0101a5f0063c

SHA256
afea82767f7ba4a1ab46e29e78fe14e3ea826736c00bbe3d202d6b92685c6e50

SHA512
6e5020035bd1237ed832141bc1cd1c669b7c3f9f8a865b9be4925196cc8f4e3eb48045598b214606dc412c5110af439d9f75c31e1abeda3e945fe5348bee8b93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
7e945caf976a39554bc2dec2e9263fac

SHA1
af31ca57ec34687f71a38eea7e2d6b58f070b12c

SHA256
0b0ca2c80e6d813f04c6146971e965fc2822d5d1a846563e8491a2e4f51ab9f8

SHA512
5a5286509e4a805948acf10f4d607611c29e74948b45b2661fac876327655491a7325cd6e0cdeda66cf105fc40196e2bd4a36123b512f4d2fb6b8c0352dd5050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
8d78d97edc76dfa649936a4ba69a9bc1

SHA1
67e24a6a864596b7f03ec6a6427f75ae545ca81e

SHA256
e90c004724f2798079b1c0b4127e30ad3bc634fb217dc2ffa35800592bef7597

SHA512
5a14a1aa860dde00f95fe9684f7b0b936f2d768f9109452c8b476f1969b64cacc83ffa9ebf2697099484a4fb65466b00f55e8063ae51ae9a8e67aa294fd2e187

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Windows\Installer\MSI9EEF.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSI9F8E.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIA6D3.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/4072-4-0x000001B95C510000-0x000001B95C532000-memory.dmp

Filesize
136KB

Download
memory/4072-2789-0x00007FF8ECDD0000-0x00007FF8ED891000-memory.dmp

Filesize
10.8MB

Download
memory/4072-2385-0x000001B95C6C0000-0x000001B95C6D2000-memory.dmp

Filesize
72KB

Download
memory/4072-2383-0x000001B95C680000-0x000001B95C68A000-memory.dmp

Filesize
40KB

Download
memory/4072-0-0x00007FF8ECDD3000-0x00007FF8ECDD5000-memory.dmp

Filesize
8KB

Download
memory/4072-2-0x00007FF8ECDD0000-0x00007FF8ED891000-memory.dmp

Filesize
10.8MB

Download
memory/4072-1-0x000001B941DD0000-0x000001B941ECA000-memory.dmp

Filesize
1000KB

Download
memory/4072-17-0x00007FF8ECDD3000-0x00007FF8ECDD5000-memory.dmp

Filesize
8KB

Download
memory/4072-30-0x00007FF8ECDD0000-0x00007FF8ED891000-memory.dmp

Filesize
10.8MB

Download