rhadamanthys | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbnI3aEhTeElhbm5nS3JSanFZTlozUlc5dmkzQXxBQ3Jtc0tsNXJBSWdKbGRTVUFxQTZITHRTZVBkb3NFdkhsUEZmd2NfV3dia3hxUVVpczBSSXBzTkpMQkVaa0JfcnBoM0FPYTA0bVRWTm1CWF9aWVBSNi00SFUtU1RwdlpyNjVRV1UwUXZFOHcxT0d2STk1RS1aOA&q=https%3A%2F%2Frekonise[.]com%2Fexec-ss8lr&v=OQtKIe-vJqw

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-10-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnI3aEhTeElhbm5nS3JSanFZTlozUlc5dmkzQXxBQ3Jtc0tsNXJBSWdKbGRTVUFxQTZITHRTZVBkb3NFdkhsUEZmd2NfV3dia3hxUVVpczBSSXBzTkpMQkVaa0JfcnBoM0FPYTA0bVRWTm1CWF9aWVBSNi00SFUtU1RwdlpyNjVRV1UwUXZFOHcxT0d2STk1RS1aOA&q=https%3A%2F%2Frekonise.com%2Fexec-ss8lr&v=OQtKIe-vJqw

Score

10^/10

rhadamanthys defense_evasion discovery execution stealer

Malware Config

Extracted

Family

rhadamanthys

https://135.181.4.162:2423/97e9fc994198e76/02dgpgfn.5rkt4

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

executable.exe

description pid process target process

PID 4092 created 2824 4092 executable.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

572 powershell.exe
1460 powershell.exe
2764 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

Bootstrapper_V1.19.exeexecutable.exeBootstrapperV1.16.exeBootstrapperV1.22.exeSolara.exe

pid process

1720 Bootstrapper_V1.19.exe
4092 executable.exe
1076 BootstrapperV1.16.exe
4872 BootstrapperV1.22.exe
3488 Solara.exe

description	pid	process	target process
PID 4092 created 2824	4092	executable.exe	sihost.exe

pid	process
572	powershell.exe
1460	powershell.exe
2764	powershell.exe

pid	process
1720	Bootstrapper_V1.19.exe
4092	executable.exe
1076	BootstrapperV1.16.exe
4872	BootstrapperV1.22.exe
3488	Solara.exe

Loads dropped DLL 11 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid	process
1404	MsiExec.exe
1404	MsiExec.exe
5112	MsiExec.exe
5112	MsiExec.exe
5112	MsiExec.exe
5112	MsiExec.exe
5112	MsiExec.exe
4192	MsiExec.exe
4192	MsiExec.exe
4192	MsiExec.exe
1404	MsiExec.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

111 4812 msiexec.exe
112 4812 msiexec.exe

flow	pid	process
111	4812	msiexec.exe
112	4812	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
102	pastebin.com
114	pastebin.com
1	raw.githubusercontent.com
13	pastebin.com
90	raw.githubusercontent.com
92	raw.githubusercontent.com
94	raw.githubusercontent.com
98	pastebin.com

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\move-file\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-view.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\scope.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\docs\Updating-npm-bundled-node-gyp.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\error.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\progress-bar.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-test.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\update.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\lib\depth-descent.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\event-target-shim\dist\event-target-shim.mjs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\inflight\inflight.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\duplex.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\identity\provider.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\brace-expansion\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\security.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\emoji-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agentkeepalive\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npmlog\lib\log.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\p-map\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\read-entry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\audit-error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-adduser.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\json-parse-even-better-errors\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\safe_format.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\move-file\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\maps\rainbow.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\android.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\common.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\node_modules\glob\common.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\isexe\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\is-windows.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\node_modules\brace-expansion\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\commit.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\util\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\lib\format-diff.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\valid.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-update.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\safer-buffer\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-flush\node_modules\minipass\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\is.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\preload.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\dependency-selectors.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\constructors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clean-stack\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\convert\dmp.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\set-interval.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-owner.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-star.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\example\align.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\create.js	msiexec.exe

Drops file in Windows directory 25 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI404B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI407B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI408C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9E2E03E424514B36.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF09201074F885D9B.TMP	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e593d8c.msi	msiexec.exe
File created	C:\Windows\Installer\e593d90.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI486D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI489D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CF4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6822.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7477360DC43F290F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e593d8c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI665B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4734.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6437.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFAB2B85828FF807EF.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Bootstrapper_V1.19.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Bootstrapper_V1.19.exe:Zone.Identifier	msedge.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exeopenwith.exeMsiExec.exewevtutil.exeBootstrapper_V1.19.exeexecutable.exeMsiExec.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper_V1.19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	executable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4084 ipconfig.exe

pid	process
4084	ipconfig.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 30 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 74573.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bootstrapper_V1.19.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exeexecutable.exeopenwith.exeBootstrapperV1.22.exemsiexec.exeSolara.exemsedge.exe

pid	process
764	msedge.exe
764	msedge.exe
4756	msedge.exe
4756	msedge.exe
4280	identity_helper.exe
4280	identity_helper.exe
2044	msedge.exe
2044	msedge.exe
456	msedge.exe
456	msedge.exe
572	powershell.exe
572	powershell.exe
1460	powershell.exe
1460	powershell.exe
2764	powershell.exe
2764	powershell.exe
1460	powershell.exe
572	powershell.exe
2764	powershell.exe
4092	executable.exe
4092	executable.exe
4616	openwith.exe
4616	openwith.exe
4616	openwith.exe
4616	openwith.exe
4872	BootstrapperV1.22.exe
4872	BootstrapperV1.22.exe
4872	BootstrapperV1.22.exe
4872	BootstrapperV1.22.exe
4812	msiexec.exe
4812	msiexec.exe
3488	Solara.exe
3488	Solara.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe
3584	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEpowershell.exepowershell.exepowershell.exeBootstrapper_V1.19.exeBootstrapperV1.16.exeWMIC.exeBootstrapperV1.22.exemsiexec.exemsiexec.exe

description	pid	process
Token: 33	2360	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2360	AUDIODG.EXE
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1720	Bootstrapper_V1.19.exe
Token: SeDebugPrivilege	1076	BootstrapperV1.16.exe
Token: SeIncreaseQuotaPrivilege	1180	WMIC.exe
Token: SeSecurityPrivilege	1180	WMIC.exe
Token: SeTakeOwnershipPrivilege	1180	WMIC.exe
Token: SeLoadDriverPrivilege	1180	WMIC.exe
Token: SeSystemProfilePrivilege	1180	WMIC.exe
Token: SeSystemtimePrivilege	1180	WMIC.exe
Token: SeProfSingleProcessPrivilege	1180	WMIC.exe
Token: SeIncBasePriorityPrivilege	1180	WMIC.exe
Token: SeCreatePagefilePrivilege	1180	WMIC.exe
Token: SeBackupPrivilege	1180	WMIC.exe
Token: SeRestorePrivilege	1180	WMIC.exe
Token: SeShutdownPrivilege	1180	WMIC.exe
Token: SeDebugPrivilege	1180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1180	WMIC.exe
Token: SeRemoteShutdownPrivilege	1180	WMIC.exe
Token: SeUndockPrivilege	1180	WMIC.exe
Token: SeManageVolumePrivilege	1180	WMIC.exe
Token: 33	1180	WMIC.exe
Token: 34	1180	WMIC.exe
Token: 35	1180	WMIC.exe
Token: 36	1180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1180	WMIC.exe
Token: SeSecurityPrivilege	1180	WMIC.exe
Token: SeTakeOwnershipPrivilege	1180	WMIC.exe
Token: SeLoadDriverPrivilege	1180	WMIC.exe
Token: SeSystemProfilePrivilege	1180	WMIC.exe
Token: SeSystemtimePrivilege	1180	WMIC.exe
Token: SeProfSingleProcessPrivilege	1180	WMIC.exe
Token: SeIncBasePriorityPrivilege	1180	WMIC.exe
Token: SeCreatePagefilePrivilege	1180	WMIC.exe
Token: SeBackupPrivilege	1180	WMIC.exe
Token: SeRestorePrivilege	1180	WMIC.exe
Token: SeShutdownPrivilege	1180	WMIC.exe
Token: SeDebugPrivilege	1180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1180	WMIC.exe
Token: SeRemoteShutdownPrivilege	1180	WMIC.exe
Token: SeUndockPrivilege	1180	WMIC.exe
Token: SeManageVolumePrivilege	1180	WMIC.exe
Token: 33	1180	WMIC.exe
Token: 34	1180	WMIC.exe
Token: 35	1180	WMIC.exe
Token: 36	1180	WMIC.exe
Token: SeDebugPrivilege	4872	BootstrapperV1.22.exe
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	4812	msiexec.exe
Token: SeCreateTokenPrivilege	4704	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4704	msiexec.exe
Token: SeLockMemoryPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeMachineAccountPrivilege	4704	msiexec.exe
Token: SeTcbPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeLoadDriverPrivilege	4704	msiexec.exe
Token: SeSystemProfilePrivilege	4704	msiexec.exe
Token: SeSystemtimePrivilege	4704	msiexec.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe

pid	process
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4756 wrote to memory of 1536	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 1536	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 4720	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 764	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 764	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe
PID 4756 wrote to memory of 3592	4756	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2824
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnI3aEhTeElhbm5nS3JSanFZTlozUlc5dmkzQXxBQ3Jtc0tsNXJBSWdKbGRTVUFxQTZITHRTZVBkb3NFdkhsUEZmd2NfV3dia3hxUVVpczBSSXBzTkpMQkVaa0JfcnBoM0FPYTA0bVRWTm1CWF9aWVBSNi00SFUtU1RwdlpyNjVRV1UwUXZFOHcxT0d2STk1RS1aOA&q=https%3A%2F%2Frekonise.com%2Fexec-ss8lr&v=OQtKIe-vJqw
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffacf3cb8,0x7ffffacf3cc8,0x7ffffacf3cd8
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7140 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:456
- C:\Users\Admin\Downloads\Bootstrapper_V1.19.exe
  "C:\Users\Admin\Downloads\Bootstrapper_V1.19.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\SGDT'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- - C:\SGDT\executable.exe
    "C:\SGDT\executable.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10233458661513710804,5167290061698903246,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Users\Public\Desktop\BootstrapperV1.16.exe
"C:\Users\Public\Desktop\BootstrapperV1.16.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076
- C:\Users\Public\Desktop\BootstrapperV1.22.exe
  "C:\Users\Public\Desktop\BootstrapperV1.22.exe" --oldBootstrapper "C:\Users\Public\Desktop\BootstrapperV1.16.exe" --isUpdate true
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    PID:3108
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4084
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    PID:1336
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1180
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- - C:\ProgramData\Solara\Solara.exe
    "C:\ProgramData\Solara\Solara.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C31071C34F30638222C06EB6DB76AC93
  2⤵
  - Loads dropped DLL
  PID:1404
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FA05301AA66655E40F2F3A02DC9291BD
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5112
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EEE02049C6657D788838E43DB17CE51D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4192
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e593d8f.rbs

Filesize
1.0MB

MD5
48ff97acdacd995732b4ede052cbb40b

SHA1
29519683d4e9639933914f7713ddc3a228d49680

SHA256
1bb155ed4b441bdaefe60e725adc1d2d180e2128ea857a8c7128910f54d82901

SHA512
6a924d81f723960bedf8c5c8327576bb7a5f2273dc9482b7d7632869936c87fea4a3f7544fde4ffe559b33d6b76fdc647901ab130208f36516249fde1b41d4d5

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
133KB

MD5
c6f770cbb24248537558c1f06f7ff855

SHA1
fdc2aaae292c32a58ea4d9974a31ece26628fdd7

SHA256
d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b

SHA512
cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a

Download Submit
C:\SGDT\executable.exe

Filesize
423KB

MD5
844b868dabe70a2748c5f86c327e9391

SHA1
1d5ec1aa30faef047cda55d09b528046f275b9ff

SHA256
c339bc88c7ecc7c7d099e8457e16a7094fc2243e68ec30041d048b4f97b224c1

SHA512
92d93457a93969dbe3b8fcfb120be7cec97fc38646aa5b08b926ed2c909f3872ed00ff27f0b8423e7ad1d8dedb72511893504e8a6658cd9c35de0ce7c9151859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
33KB

MD5
0ceb818a26c32ccc800255c207c0afac

SHA1
ecca1bec3f2eb5c5c444eb86a9835ed4ffd9766e

SHA256
b8f195a536a61525543f3a65ec2d11ec9cc27c2c18b74def7ac218ef4fa41124

SHA512
8f89398cca104d6fe7b4c3e7d86cdb6b401f1368ee711b7650c19a688dc616c36093aed2bf0a4dd27a269cfd6946bd3b4a435d4f9d6f2f48eab8ceb3803695f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
24KB

MD5
97a6a4d38da3525dcd0d8b0080e108df

SHA1
c47a29fe91d13a15fc17deb27e00ba2bd7578427

SHA256
2c36aaad8680cc9d89b6acc89b1a27a2dd9acec28b525f595c770f7f32c64795

SHA512
5fba2715cd7f8173b2108f883b9aae505498feab961b726da5e95e4eb16d17a61030c6230e01065af0eb1961e486cb2d3051a7a4ca0d0b2a57559519667aeee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
18KB

MD5
42e77d4be9f153805d5a489984ff464b

SHA1
528a74ed644a9f9019b014cb635f2a75a8ffb7ef

SHA256
26bd2c6bb64005af830e1b4b6168d0d5c75690beb13617cbb97a91c83b93b9c8

SHA512
b3ab91b66c9324cc8ef8b1b0fdf9eadb09d035037776459e0bc13a15b9a1927a9b2b171d10d9e954c614ededf8c60d54b10dbd97b0a3e22abc045737ce8d432c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
32KB

MD5
4165e15c0e8e7f5313aba85f1fa09233

SHA1
15566d6448757cbbf77ba502d1451b9751a9de0d

SHA256
cb66c6e5653cc31df85d918477a83b8ce0e896f5bdd5878a09d00810eaf9ec90

SHA512
ee14c5f30f35b0e40d8fa082fbbbba642943d1c1039f7bf8c37ef83fedd15495946150074a1c4b603e581be3029ef9fa1e78e235286aaf276899823ce025bc19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
20KB

MD5
9a95465d3764f96b7999c7c0f30f87a6

SHA1
5d2f08cb28acc8716afc6406beec43120b5737df

SHA256
425485dac92e5a7f24fbe3c728977bb245cd9425ddfcfe51352eebbd8bd2c0fb

SHA512
e80de30197ce9460abac1f3831a85da660aa382afbebd41524b448dc0e092c0270e5758c6b5e67992d3129ac6e3bf55f5a01316c0515b241a4aa88044af59913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
42f5d7d8f56df918be2af4435b65c2e3

SHA1
ab0e9e025f91fdc96319746f6c6bfd968c5c595e

SHA256
1192c906481ae35e8368f73116fb690b013e75e68d062065f644df07d4be9770

SHA512
94c88d9e8d1e5981ae37cdc396b27e15bdf4fbf0dee2f97dae88dbdb1631c6b78dc5d5be3c0c096d078bc85ea95684c1b0b56204e80700b6c246d2a537a52201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
4dc0390f9add21aeb6860a4ae5e8682b

SHA1
61d501e563510245e316bd045c646689358ee616

SHA256
7501bb5a58a95fb43dbe68361a226cb5c62e04b979b7edb38b4f9bcb345e3719

SHA512
ce1ee5bfbd1bb614fe8bfc36d1f01fe67d815b3b7c23966d5a0545fc5351398f2264896082d25966a3b2c0195886bfe7d5f41ed237c78d5705a3109bd1de1812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
7b5deefe73d9967e338d23a3571ea82f

SHA1
e5bf2ce6cedbd3b2a80fcae8fc4e56211698a887

SHA256
0a9b762e53bfee5e38dddd94e3613ef6b1f9427cf1750380d385286651114f9f

SHA512
c97510531b59bcfe8c3539831a08719caf91c2a841b4c2d3643dbe8678829760214e0a2bdcb309157f0a5fd821d32c2a16ea36f3d67f8619aed3e4f1d6584d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6f1497249d50fd86b60615960efecfd

SHA1
50f31573eb98181bdd8041adca5304868fe5c6e6

SHA256
611e1b2de174e5542407adf26be63b9d6ca89fd4d26dd4d02f1e4af07bcefc63

SHA512
1768f502a6f20dd77acdc86059e3284cb3aa0bc5b09e751c2af5ee1ce1ddfe03dedb74b19ddfa021aaa3545d9322aa3fbff66db91562f4b6d8118a001d699cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
db766eca27df525d4642be673e84f779

SHA1
4228c835d8bd1bcfc3b198756119021cdcd40d46

SHA256
e442805a0d9640c0f350d5fac48ff85bfff47e4d8a0fa8d61f5bfb41a3084fca

SHA512
2249261c01b82050b207397d79bb5b08b05f0c0b467d784396d91d0abe40e880922655fe32f8bdc9a3e4f9c559e65826e5f720301567defd7e9e8dfe6a41cb49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b6fcbb298414f40470cac945060f58be

SHA1
1037c0b01200b1fb62aac3fbb02224095b343135

SHA256
25cba17d616b8c78e5eca44a106ec918d5c031b979ed585b625df9516bfd7384

SHA512
bcd948e1b8750dc39277b1316208484944d71446e424ff5ab18c302f63c8c46fe5700ce8a12ff242a80294ab35eef6c3ad5027b8f9dc33b73155026b82b74e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6eac16073b1b2c2fa8e0cc78eaf000ad

SHA1
9019ad97163d7a3162eec98ab57eeee2b5a79247

SHA256
a027df41750c7abbbc92086e44cea95c55f29300a64e4255683cc8b84f5c408d

SHA512
8350ab50a34974107a8b08ddaa9c3b1e5e40ac52331c4e8448401c38269cabf154c8886790f52af8d461dd4bac849ccc6dbd127253f4c540902b53eecb3215ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ed3abff882104024add2daf61ef0f3b3

SHA1
f0b6eb603879d7971ba974a3e2f224111b12b424

SHA256
b59552e5f132a42ea7e80ff5779c84454ce68563c8ea42d9a87baf42124f5cff

SHA512
23ca48558fcb07dd21d6a06c47242b29a2abcb20ef74069bccc10648c59147b6066277403459d549382738a99049e42a2e615b65d72bb1d153601ef822face38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
43ba3f2781fc91977aaf87ccdeb448e6

SHA1
e2d08fc069e83d485bfa5e1d0604c8b20d2c822b

SHA256
f14200b8878571b0898f7eac194b0d134509b7c307fc7c1118362c3d09e9c2e2

SHA512
05d5c731542f2fd11c947f140a442a3f3b47f522c2907b302f608b845e63aa6e85ea044ea93c97378cd71728790226cf1420d2d9995c3efcf4cb3a5bf19577bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\599db937-28af-47d0-ae97-3e81bdff23b3\index-dir\the-real-index

Filesize
2KB

MD5
7722b0a10641e92286dca2b5c46b6a17

SHA1
6dd9c52e8ddb4c4cf8be8682e93cda4a99f9cf25

SHA256
a7c04b6af79f090875135b7eca8aaec1e0e3a6e5130f8c9035e467dc7ae886fc

SHA512
b11dd92ec9cc5be2b915369ac9aee7fdc3ff351078ba6af671a28b8f16a7df0110c14a4e68ce9c1eafabab58077839fa380ea1eb654c5e32475ef88c2acbf317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\599db937-28af-47d0-ae97-3e81bdff23b3\index-dir\the-real-index

Filesize
2KB

MD5
28ebbbb2123d2d31fb4949ea69b8da85

SHA1
7476e8b1b325a611c7834d57d9eb19ccfa49d733

SHA256
1db99f635a977f2537d79408f85b4d9256bbf008b9b4abe8d025a8971d3b03e2

SHA512
9f5fd80768c97978b3af07cffa0f6aae339de651896bb3491591b2a4bc08c4c209d903a374a674868ccb17637e02153ea637e468eaee496564c0ac8bf68f3f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\599db937-28af-47d0-ae97-3e81bdff23b3\index-dir\the-real-index~RFe57fb77.TMP

Filesize
48B

MD5
88178b7409a66560949b8edaac40c3df

SHA1
3fd9999e223a89eb866d68f9222e55f4cefcddb9

SHA256
bb25d05b2c6eed09398e9921560a1cf14bae3a08e47972c82a0262ca5666d003

SHA512
95fe1c35949c676bb370b8d37971f01add93640a85797512075cf534a42be189c8c8da06990fdc2bbb29ad409abe8a502dd4a58f22b923b65b9e993a26253129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\79c74dd8-95cd-463e-9ce7-80c8dde2e5d1\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9a322463-eaf2-40fa-8fbc-b9a3dd2cc127\index-dir\the-real-index

Filesize
624B

MD5
f21242f2eddbb73ff634669702c06315

SHA1
ffe33ac37c484b360ec021baae05094837cc3798

SHA256
84d1c6c25bb0023403c43b5e4e9ac409a2b2d2335e4f676dbd466e66d3d1276c

SHA512
932dc7b1b068a5ced1297204bc914eed51b468802ebe51ef5da4295fa391aff645593c93d09d0b4afbee33ce44947675c09fc346b1e7df6c725d6f5e35a93971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9a322463-eaf2-40fa-8fbc-b9a3dd2cc127\index-dir\the-real-index~RFe585ba8.TMP

Filesize
48B

MD5
22291116a87c7e93a0f6e13f988ead75

SHA1
4392b78009fd212380c57ede22d8d03dcc017539

SHA256
530f9f6b821bfb0ca15d75c5294916dea80cc2583346d317149409c5cb588791

SHA512
4afb49001af0f83b4b2c31dc0b95967020cb99e0a285018d0eb431f0a5dd3ec4ed99a1af4cef6391181155ebaf4b05e8a7aa205f3a2519cbea202ace5cd39276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a53498df71de62915497d1a6a15a8a3b

SHA1
60c36f95bb7d25646cb736f4665ef9f5924d6e17

SHA256
eac5efa0d2fcc2d18316d37c06f76499c7e8f7a42c7c6ed7778198c9a0b937b3

SHA512
55a63e96219259d6170c77e4727753075357b2543e84b62a2e235734ed4c390702c7a40504fc5370de80d51ef45848804142a11680b4b8f107e6f065890fd5df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
23e5849535fb850464b27848b399e2c8

SHA1
0a67a4c2cfb65738df4f112863ab6a61bee98a19

SHA256
7f57a4351afa86be0c523b7cc318990c9806b6bd50dd319078dce885b3e4ad07

SHA512
7a972f1d8f4b9070344ad420851ee5b0afcd516b0d2947ce4cfe57fdecbd7256362437a87803386c761313777bddfbb7a7049c3065f0c9e2581ee4ab95f558e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
028114a5f5eb34404c4eca1e41589f6b

SHA1
38876f7de6457c0aa8badf451f18b3fbc33903fc

SHA256
066cd2bb877a00fe6f5b8189dcbeab886d277626bc1e1d68781f1dd2a4d9059d

SHA512
9acdbccbe7e90db2a21859a5bb1713b6a87dcab91e3f6972519ea65822aca8c85c1d0f17ce913462345e9d6843f167e821b10c41e9edfed852b74895751b833b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
4ddf88148e9786f8f22ce8e2376e58d8

SHA1
44a6da296ee8d1af39cabf653c1a252f92c1d115

SHA256
7225c51f60ca5ee51d8b8234cfd75177ef58bf243cbcddd121d83218ae9ec95e

SHA512
d139edb502d6eac02e632a11440a621ae82eb2e808a9d4dc4c170fe1a623908b9d75a9638758ef36df255639389ba50ef113ef62d06e63050f930c10eb439082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
6560ac8a4e027c4d8d6540bf4043d505

SHA1
1a6c54670fa379a31654fa80df5c59390ce0bd15

SHA256
0e0b79c898a8fdd250b0eda23549c367ad7a1d8bb24fe381c2b3410ec3363785

SHA512
1a1e20f72741a53a91b8fcefecdbde73a7753083362235d351ee1ab5b95d99ff94d95d9e69a4147e219e25888ef04de1c02511ab0afb256887a0c6a4c5fdaa69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
e2d80418c5d731c1d4c7b5d1e4f8f378

SHA1
6c43d8e4e9cc9dd9f261a1a526d6ca534cc79a2d

SHA256
341c47fa64b53c4414986ca51723e3c78111366c672e92c637ab57d08f45494f

SHA512
353d7670adf970efa0d1c5e9e0e68dedeadb913bbafc450b58aa6080942c26e3d5d3251b40dbea8b5ef67bb1c2e98477e2054a16d0f503a2bd30c7b454430c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
e6c14e8ef1f3ade177796c25051167c6

SHA1
4dc1b7e8cadc1c0e8ec77bd25f6d83141e5efaac

SHA256
160ed2df5e1028bf5d7ee171b9d6adb4420a6e1101a65208d6d153385f12fb83

SHA512
80ac9d6eeab359e68abbb765330faa17295bf0326fa996d20913b90aa75927ddb85dda2f7cd20da37e57e98b00ac384e95b8fb9948a287689ad1d2745976034f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
a44949bbe2477cbe670a389b020c3847

SHA1
dcd0508447229f885daeb3e63d496a3d0f108b02

SHA256
a27e5018e74aaa62e4b343219b4e2acb2bbfea7e4d8fd3068ab74fc30ffe9aa4

SHA512
5926bf166fcdca6ac6dffd736f928bb06539de77a215ac0eeedcbc8b9d865ab102431c7d69c4c300eb2320c93185a094fea33012d4193b2c4e10c7cda9289e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57de4a.TMP

Filesize
89B

MD5
32360b29fec5fe0adf3aade59eb2ecd0

SHA1
bccca3660eefe46f20f831e5e2e1db27c48b6a7f

SHA256
0f1b453915e994910315dc34313b07865515910686b6bc5bff82f2531685752c

SHA512
18fc29195a0acb7d242161c0c46b8dd2e519f80e3329654bcbb0f8b0a45d9410da76bebf6203fdff2c016d69ef8aa8933b55b2dfbe90393f93822e5e36fbe7e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e8af204548845d1075547105e0e578a3

SHA1
7ee98d98a10e500deb1926b1dd84bbc5b101c6b2

SHA256
a9351f17c3ebbc9e2092df35b2b7eb7c9c9b8458dedf2198ec876d9752632c6e

SHA512
5b67db78c7795f51c739742bd971e8939a4a7f2ceadf7b64e7cdc154ed3ddcba7398bd80c4a32e19518b7209f4d279d50750056cb18f61a186d5c8dde6dc37cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584f44.TMP

Filesize
48B

MD5
2976074227b0a6b4123803d1a11cdf95

SHA1
17aa2f46fa99cd364002290aec0f026aca923063

SHA256
ae6307795c79ae6ed3cba29d3bf9c8997b5c302b20d202482c0bfec6d8089a1b

SHA512
ce37bdf2bc72f46df16dcc4d0ba93b39f12d542c11dbb998d51d7cfe7154c5f3b4725bd505eb158c7826ec914ded1a2f3dc748cfb64a9e54d9d9d3d9d83b0bc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2bf1c7a3317de325b397cee7a662c0fe

SHA1
0adefede9a162c6bf71015db4e59077ad700f8e9

SHA256
9abaa18d4376a15e851a251c8e712ed758e7be403fb62fca83a51aafddb9a276

SHA512
a6b86cc784d46a32263edc823bc9be72a04959326e1187bec2c9f8715e62a1169741c091f6adbfc89fa4253295088505e32c8fdccca3219a6df0e3147f7434f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
17f475eb5bc4004432a85818693d7da7

SHA1
7e8fe375a9986e983846a4b42cb27b0e39b3bb6d

SHA256
1e45c05bb117e83f371d8a0aac4acd64151786050e1bc444c900dd006b1cb9ba

SHA512
458273c03071b2b55cafc95d42b78db692099b05882bc22423c229540c7e5e603f5f236f6a99576c6224941f6f0d36b91df7a80c1446800004c197bea60cfee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
76c3b1c144db5798710e3e48ae3c8432

SHA1
b06bd8acbbc33144d4546e9717ad06a3b7277e41

SHA256
30dbcca61ae686f90f705010cad675e6cd772117a1d00f9f85d7b9b8e82e620f

SHA512
1e2e279d37e5ddbbe3022951b01801e562ed7ec1dffa8852769f960136b0caf603700b9b084f479f8c09a9adca22a3173c5eff82b3db46e8e3bb5afefa74f279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7adece2594887a20086f6d3047f57aff

SHA1
6eb7bd80f6bd4069b119b773f3ff2b5f502f3933

SHA256
5dda8081201851821a294bc4e54ec73f00982e9497f4df6d6e6fbbecde7420b3

SHA512
0f3f84027d7d6f282d8603673c436cb7d874047f141acdaca4665216c5084dbed94276466d613f513813b2d959d21927fcff3d88ecbbd2398cef0f775cf90748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fed2.TMP

Filesize
539B

MD5
fb7ef7c1adf179c9dfe27f575196fafb

SHA1
4e4769fc4faa414bf0581b9a0a2bdde51f155f2e

SHA256
9963b8d968f918d53396e69048d6b6f0bde266b136efe149674e12e96ddda1d5

SHA512
43947dddcc118fef7522a7416f4c9151c514a6796085dd52d24a12cff03807bcf36365fdc904526b387731e7ebb978a29a1cd70de4614b1973023dd676b81199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
618b47eadee4f1f743640f0315dd749a

SHA1
df335a0d2318885318936c4ee53920f7ab66a9cd

SHA256
cbcc3e30e633f3002e5e6cc1476efc0f3103f315bb99981db4baeaff9e81ed2b

SHA512
4ff2f77a2295a2e49e0ce83796af88dfb94696625cc8e8c8a9f4d2f60a5d51c7d4a378c9f95da99bc4af67f2d4911346f5a0dd61812df53cfc41de59da57f7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cc0ee3ba0c7217d830bfb713df57e65c

SHA1
35620a456e61e8a1e8cb4f03bd73cca524dd2111

SHA256
5d9c1bf1ea34ead16aa68f70340db0aa6548528994ca30a2204ef373a2f616c5

SHA512
f1c5b53d53694750dd44e86d133aa9253c224b9f3cfa986af9c63131a6259b6eecb93c04851a8c59de2da113aa78bc100d36c83fd43c0215254f0daac788abe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1738ede9ad7f937f0c3ada1593a8028

SHA1
ebd1309ae71e9aa9c1fa7a21a95d0f89a18b90d2

SHA256
6a245686e431183b80ebe1f44e5fa09a297522b0fda9f622d7f924c703b15fcb

SHA512
1bf54da7f7061504c03943dcfc8935419a6d717417e5a58234e8918edbaa776c896cfa0fd04e6adca1fdd37110cfadd252299abc02bb2ab3a781beaf7fab56eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9d656818258983586420058638cdd793

SHA1
9e71d18a449cfa77675145924dce27c8db4660d2

SHA256
dec5684588e843754cc7bb882edb16eb59b7ad4e47b4cd82251a6a57d19e1645

SHA512
8b592a575a21f7171d2575d99f6d7685f65b26c6ba428effa7e32516659533379a609a38e22f280a7c8f5683f8fd7c048ea53bf06d468be135a0873eceae7cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4qmlv2uh.o3n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
0988d7a72890d23f5d403fb9d57ccb63

SHA1
311466d2d39018f62a4932c42b30947614cfc724

SHA256
9ad99302a321da4dec4882f3d5e4d1205735cf817e4240d1fc810abd923e4359

SHA512
9e03053f64b0c88a24d1a2700802126b91942dd6f3173641e8dc14c19952f849177e5ac8da8bcf21b07a39d6a50c52ed1ad1292a2565f62db7db087e4495dea1

Download Submit
C:\Users\Admin\Desktop\DISCORD

Filesize
103B

MD5
487ab53955a5ea101720115f32237a45

SHA1
c59d22f8bc8005694505addef88f7968c8d393d3

SHA256
d64354a111fd859a08552f6738fecd8c5594475e8c03bb37546812a205d0d368

SHA512
468689d98645c9f32813d833a07bbcf96fe0de4593f4f4dc6757501fbce8e9951d21a8aa4a7050a87a904d203f521134328d426d4e6ab9f20e7e759769003b7c

Download Submit
C:\Users\Admin\Downloads\Bootstrapper_V1.19.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 74573.crdownload

Filesize
134KB

MD5
e86843fd1931a45196d44ae99c75d185

SHA1
a18d71b4531acd21b2d72fbceb9d10f87b81f3a0

SHA256
8b26fe4e3151ca112d370dfe054a092160e7aa42d8b3ede87f8eee44ea6e100a

SHA512
2949a66a98746b0798fcbd1ae2fa749a4d9019b1764c46273daec653f47eddc65d18280d6e2cd1fa58e4ae0f9c92803a6666d22a57e98d434887e57b9533cc02

Download Submit
C:\Users\Public\Desktop\BootstrapperV1.16.exe

Filesize
972KB

MD5
90fd25ced85fe6db28d21ae7d1f02e2c

SHA1
e27eff4cd4d383f5c564cce2bd1aaa2ffe4ec056

SHA256
97572bd57b08b59744e4dfe6f93fb96be4002dfe1aa78683771725401776464f

SHA512
1c775cf8dfde037eaa98eb14088c70d74923f0f6a83030a71f2f4c1a4453f6154dab7a4aa175e429860badda3e5e0ae226f3c3e8171332f5962bf36f8aa073fa

Download Submit
C:\Users\Public\Desktop\BootstrapperV1.22.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
C:\Windows\Installer\MSI404B.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSI408C.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI486D.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
\??\pipe\LOCAL\crashpad_4756_SMUTRPHBCUHEHUGX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/572-1289-0x0000000005780000-0x0000000005DAA000-memory.dmp

Filesize
6.2MB

Download
memory/572-1358-0x000000006C900000-0x000000006C94C000-memory.dmp

Filesize
304KB

Download
memory/572-1381-0x0000000007A30000-0x0000000007A38000-memory.dmp

Filesize
32KB

Download
memory/572-1288-0x0000000002EE0000-0x0000000002F16000-memory.dmp

Filesize
216KB

Download
memory/572-1369-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/572-1370-0x0000000007760000-0x000000000776A000-memory.dmp

Filesize
40KB

Download
memory/572-1371-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/572-1372-0x0000000007900000-0x0000000007911000-memory.dmp

Filesize
68KB

Download
memory/1076-1429-0x0000028492240000-0x000002849233A000-memory.dmp

Filesize
1000KB

Download
memory/1076-1432-0x00000284929C0000-0x00000284929E2000-memory.dmp

Filesize
136KB

Download
memory/1460-1292-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/1460-1348-0x000000006C900000-0x000000006C94C000-memory.dmp

Filesize
304KB

Download
memory/1460-1377-0x0000000007910000-0x000000000792A000-memory.dmp

Filesize
104KB

Download
memory/1460-1373-0x00000000077F0000-0x00000000077FE000-memory.dmp

Filesize
56KB

Download
memory/1460-1376-0x0000000007800000-0x0000000007815000-memory.dmp

Filesize
84KB

Download
memory/1460-1290-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/1460-1368-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/1460-1291-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/1460-1293-0x0000000005D90000-0x00000000060E7000-memory.dmp

Filesize
3.3MB

Download
memory/1460-1318-0x0000000006260000-0x000000000627E000-memory.dmp

Filesize
120KB

Download
memory/1460-1319-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/1720-1265-0x0000000009BD0000-0x0000000009C08000-memory.dmp

Filesize
224KB

Download
memory/1720-1263-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1720-1264-0x0000000009540000-0x0000000009548000-memory.dmp

Filesize
32KB

Download
memory/1720-1266-0x0000000009990000-0x000000000999E000-memory.dmp

Filesize
56KB

Download
memory/2764-1367-0x00000000073E0000-0x0000000007484000-memory.dmp

Filesize
656KB

Download
memory/2764-1357-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/2764-1338-0x00000000073A0000-0x00000000073D4000-memory.dmp

Filesize
208KB

Download
memory/2764-1339-0x000000006C900000-0x000000006C94C000-memory.dmp

Filesize
304KB

Download
memory/3488-4259-0x0000014DE6F90000-0x0000014DE704A000-memory.dmp

Filesize
744KB

Download
memory/3488-4260-0x0000014DE7050000-0x0000014DE7102000-memory.dmp

Filesize
712KB

Download
memory/3488-4258-0x0000014DE7410000-0x0000014DE794C000-memory.dmp

Filesize
5.2MB

Download
memory/3488-4257-0x0000014DCC730000-0x0000014DCC754000-memory.dmp

Filesize
144KB

Download
memory/4092-1410-0x0000000000B90000-0x0000000000C0E000-memory.dmp

Filesize
504KB

Download
memory/4092-1403-0x00000000038C0000-0x0000000003CC0000-memory.dmp

Filesize
4.0MB

Download
memory/4092-1400-0x0000000000B90000-0x0000000000C0E000-memory.dmp

Filesize
504KB

Download
memory/4092-1407-0x0000000076530000-0x0000000076782000-memory.dmp

Filesize
2.3MB

Download
memory/4092-1404-0x00000000038C0000-0x0000000003CC0000-memory.dmp

Filesize
4.0MB

Download
memory/4092-1405-0x00007FF809C20000-0x00007FF809E29000-memory.dmp

Filesize
2.0MB

Download
memory/4616-1408-0x0000000000470000-0x0000000000479000-memory.dmp

Filesize
36KB

Download
memory/4616-1412-0x00007FF809C20000-0x00007FF809E29000-memory.dmp

Filesize
2.0MB

Download
memory/4616-1411-0x00000000020C0000-0x00000000024C0000-memory.dmp

Filesize
4.0MB

Download
memory/4616-1414-0x0000000076530000-0x0000000076782000-memory.dmp

Filesize
2.3MB

Download
memory/4872-3843-0x00000227FE5B0000-0x00000227FE5C2000-memory.dmp

Filesize
72KB

Download
memory/4872-3841-0x00000227FFE10000-0x00000227FFE1A000-memory.dmp

Filesize
40KB

Download
memory/4872-1445-0x00000227FBF10000-0x00000227FBFDE000-memory.dmp

Filesize
824KB

Download