ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

2a4dcf20b82896be94eb538260c5fb93
SHA1

21f232c2fd8132f8677e53258562ad98b455e679
SHA256

ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a
SHA512

4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288
SSDEEP

12288:t0zVvgDNMoWjTmFzAzBocaKjyWtiR1pptHxQ0z:O5vgHWjTwAlocaKjyyItHDz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 1 IoCs

pid	Process
4744	Solara.exe

Loads dropped DLL 11 IoCs

pid	Process
1356	MsiExec.exe
1356	MsiExec.exe
3432	MsiExec.exe
3432	MsiExec.exe
3432	MsiExec.exe
3432	MsiExec.exe
3432	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
1356	MsiExec.exe

Unexpected DNS network traffic destination 28 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Blocklisted process makes network request 4 IoCs

flow	pid	Process
40	2708	msiexec.exe
42	2708	msiexec.exe
40	2708	msiexec.exe
42	2708	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
60	pastebin.com
61	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\unique-filename\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-table3\src\table.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\query-selector-all.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-prefix.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-explore.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-completion.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-install-ci-test.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff-apply\rollup.config.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-dist-tag.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\validate.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-exec.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\utils\tmpfile.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-core-module\core.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\intersects.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\did-you-mean.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\npx.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\MSVSProject.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\config\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\override-resolves.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\content\rm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\end-of-stream.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\gypsh.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-is-absolute\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\memoization.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-filename\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\entry-index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\imurmurhash\imurmurhash.min.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-retry\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\scripts.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\src\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\tag.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmfund\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\example\center.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\cache\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cmd-shim\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\bin\ideal.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-stop.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\balanced-match\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-convert\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\publish.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\gte.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\xml_fix.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\umask.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\docs.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\yarn.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\pnpm.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-restart.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\base.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\removal.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\developers.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\inherits\inherits.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\__init__.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\runtime.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-pick-manifest\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-cache.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-ci.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agentkeepalive\index.js	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE5FB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF842.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e1b5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF831.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2215.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE65A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e57e1b5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEECA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C95.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e1b9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE67A.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3188	ipconfig.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133733149759291555"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{3F0243D2-3F2C-4FDF-9F33-9C06943EF54D}	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4216	Bootstrapper.exe
4216	Bootstrapper.exe
2708	msiexec.exe
2708	msiexec.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
4744	Solara.exe
3876	taskmgr.exe
3876	taskmgr.exe
4460	chrome.exe
4460	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2352	WMIC.exe
Token: SeSecurityPrivilege	2352	WMIC.exe
Token: SeTakeOwnershipPrivilege	2352	WMIC.exe
Token: SeLoadDriverPrivilege	2352	WMIC.exe
Token: SeSystemProfilePrivilege	2352	WMIC.exe
Token: SeSystemtimePrivilege	2352	WMIC.exe
Token: SeProfSingleProcessPrivilege	2352	WMIC.exe
Token: SeIncBasePriorityPrivilege	2352	WMIC.exe
Token: SeCreatePagefilePrivilege	2352	WMIC.exe
Token: SeBackupPrivilege	2352	WMIC.exe
Token: SeRestorePrivilege	2352	WMIC.exe
Token: SeShutdownPrivilege	2352	WMIC.exe
Token: SeDebugPrivilege	2352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2352	WMIC.exe
Token: SeRemoteShutdownPrivilege	2352	WMIC.exe
Token: SeUndockPrivilege	2352	WMIC.exe
Token: SeManageVolumePrivilege	2352	WMIC.exe
Token: 33	2352	WMIC.exe
Token: 34	2352	WMIC.exe
Token: 35	2352	WMIC.exe
Token: 36	2352	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2352	WMIC.exe
Token: SeSecurityPrivilege	2352	WMIC.exe
Token: SeTakeOwnershipPrivilege	2352	WMIC.exe
Token: SeLoadDriverPrivilege	2352	WMIC.exe
Token: SeSystemProfilePrivilege	2352	WMIC.exe
Token: SeSystemtimePrivilege	2352	WMIC.exe
Token: SeProfSingleProcessPrivilege	2352	WMIC.exe
Token: SeIncBasePriorityPrivilege	2352	WMIC.exe
Token: SeCreatePagefilePrivilege	2352	WMIC.exe
Token: SeBackupPrivilege	2352	WMIC.exe
Token: SeRestorePrivilege	2352	WMIC.exe
Token: SeShutdownPrivilege	2352	WMIC.exe
Token: SeDebugPrivilege	2352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2352	WMIC.exe
Token: SeRemoteShutdownPrivilege	2352	WMIC.exe
Token: SeUndockPrivilege	2352	WMIC.exe
Token: SeManageVolumePrivilege	2352	WMIC.exe
Token: 33	2352	WMIC.exe
Token: 34	2352	WMIC.exe
Token: 35	2352	WMIC.exe
Token: 36	2352	WMIC.exe
Token: SeDebugPrivilege	4216	Bootstrapper.exe
Token: SeShutdownPrivilege	2876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2876	msiexec.exe
Token: SeSecurityPrivilege	2708	msiexec.exe
Token: SeCreateTokenPrivilege	2876	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2876	msiexec.exe
Token: SeLockMemoryPrivilege	2876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2876	msiexec.exe
Token: SeMachineAccountPrivilege	2876	msiexec.exe
Token: SeTcbPrivilege	2876	msiexec.exe
Token: SeSecurityPrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeLoadDriverPrivilege	2876	msiexec.exe
Token: SeSystemProfilePrivilege	2876	msiexec.exe
Token: SeSystemtimePrivilege	2876	msiexec.exe
Token: SeProfSingleProcessPrivilege	2876	msiexec.exe
Token: SeIncBasePriorityPrivilege	2876	msiexec.exe
Token: SeCreatePagefilePrivilege	2876	msiexec.exe
Token: SeCreatePermanentPrivilege	2876	msiexec.exe
Token: SeBackupPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeShutdownPrivilege	2876	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe
4460	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3320	4216	Bootstrapper.exe	85
PID 4216 wrote to memory of 3320	4216	Bootstrapper.exe	85
PID 3320 wrote to memory of 3188	3320	cmd.exe	87
PID 3320 wrote to memory of 3188	3320	cmd.exe	87
PID 4216 wrote to memory of 372	4216	Bootstrapper.exe	91
PID 4216 wrote to memory of 372	4216	Bootstrapper.exe	91
PID 372 wrote to memory of 2352	372	cmd.exe	93
PID 372 wrote to memory of 2352	372	cmd.exe	93
PID 4216 wrote to memory of 2876	4216	Bootstrapper.exe	95
PID 4216 wrote to memory of 2876	4216	Bootstrapper.exe	95
PID 2708 wrote to memory of 1356	2708	msiexec.exe	98
PID 2708 wrote to memory of 1356	2708	msiexec.exe	98
PID 2708 wrote to memory of 3432	2708	msiexec.exe	99
PID 2708 wrote to memory of 3432	2708	msiexec.exe	99
PID 2708 wrote to memory of 3432	2708	msiexec.exe	99
PID 2708 wrote to memory of 4896	2708	msiexec.exe	105
PID 2708 wrote to memory of 4896	2708	msiexec.exe	105
PID 2708 wrote to memory of 4896	2708	msiexec.exe	105
PID 4896 wrote to memory of 4460	4896	MsiExec.exe	107
PID 4896 wrote to memory of 4460	4896	MsiExec.exe	107
PID 4896 wrote to memory of 4460	4896	MsiExec.exe	107
PID 4460 wrote to memory of 884	4460	wevtutil.exe	109
PID 4460 wrote to memory of 884	4460	wevtutil.exe	109
PID 4216 wrote to memory of 4744	4216	Bootstrapper.exe	111
PID 4216 wrote to memory of 4744	4216	Bootstrapper.exe	111
PID 4460 wrote to memory of 4812	4460	chrome.exe	117
PID 4460 wrote to memory of 4812	4460	chrome.exe	117
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 4484	4460	chrome.exe	118
PID 4460 wrote to memory of 2540	4460	chrome.exe	119
PID 4460 wrote to memory of 2540	4460	chrome.exe	119
PID 4460 wrote to memory of 1104	4460	chrome.exe	120
PID 4460 wrote to memory of 1104	4460	chrome.exe	120
PID 4460 wrote to memory of 1104	4460	chrome.exe	120
PID 4460 wrote to memory of 1104	4460	chrome.exe	120
PID 4460 wrote to memory of 1104	4460	chrome.exe	120

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3188
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\ProgramData\Solara\Solara.exe
  "C:\ProgramData\Solara\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 645DBAEC45132A40ACBE2F18F453BF79
  2⤵
  - Loads dropped DLL
  PID:1356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 027B1A8888FBF96D2C556F1B44876168
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3432
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 38BF5CDDBA0E36A77414B139336CA6E5 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff92f8fcc40,0x7ff92f8fcc4c,0x7ff92f8fcc58
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3740,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4044,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4972,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3516,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3216,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3368,i,4039757362184912773,10590060001719565445,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3624

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e1b8.rbs

Filesize
1.0MB

MD5
30a63dfe3c0411c1f6bd763da0af08ad

SHA1
0394f98a47646112ccfb6537612cc89ff64a02e5

SHA256
244cd17a25dc4767afd41516eec0e692371f7de309a702b074d2edffbf9259fd

SHA512
6872a23af12e53cff7ea9881b77bdb86f7c75dcdc3ca5e2109eb1a8eb68040503024661c4628b27a15a3db38f90f083ab4ed761750f78edd7d6e6dd7d1f81322

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
2a6686d512ee9ba8b75e0bce9a794770

SHA1
465e00320c74d4481a5e7e7242aaeb60d02e2fab

SHA256
5afa5bcab0d66f0dc65ccad359650730ace53dff1d891cd33a9f54aa43d34419

SHA512
ff44d6f3e7be06c98077a00854edb0ca122fc5c98c976f86787c7b003d224f62c1079412e7c5cdb36c2a6df0825dd17ccbffe44eb264fa63e3d1e44654af74b2

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
133KB

MD5
c6f770cbb24248537558c1f06f7ff855

SHA1
fdc2aaae292c32a58ea4d9974a31ece26628fdd7

SHA256
d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b

SHA512
cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5e658a5e-a780-41e8-a325-5ddfcfa5e065.tmp

Filesize
8KB

MD5
dd60451058c0337483763bc5703ab852

SHA1
b1acc8ab2d9f75e45b776172ffdac34d970823f8

SHA256
5550347c140652eca2f86f0010bd36f2d4346a3b52292369620c4e88dd536f97

SHA512
5d76eef5d5149be5449a096e30da06a22dcb649d2fd2e8cd78bb77b278e909c7f309f1fcee8c0e7c6fe84f0af31c12cec84c01977e3010e73a06d7c6295b1a29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
20b0cd15471102d1a5e1f6601989d655

SHA1
f607a68ff1950be7941204bceae71aa31faea6c6

SHA256
5d9a3427049dd2be13de0849048ac894f1d7a8b5a9f3a85499dd7bcd9d3d6340

SHA512
be9d0daf0fb59c95e09862ab3cbd695f52aa8e884e6f25ae5a65d023990ecd0ce94ba2008f367548705fd9d8f71b7e558ee374bd65aa22d107122b319b5525a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
da47cad0800286ce1016e8149f1acfca

SHA1
e75522718d6e9f218acfe7f3d533e530a8e47e6e

SHA256
b39ad6463bf09a8970abe4d5644b7dee5f8dc3b39f85137efda272dbe4f671d8

SHA512
90729f7ebecdfae1f7a091290e3f31810ee706e2a35f0445b54b0ca6b7436347b7f8962b0d12c56f5038ef674365fc364ae9bdbe8e55eb663aaaf2e2edaf6b7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\25189363-e8d4-4b9f-9be1-6f7203bbfaf9.tmp

Filesize
1KB

MD5
c9e2c0da861fe9de9c080c6ba739ecc4

SHA1
8ac89fe1a4cf72fd7f0523ff82dcc4ec193ca549

SHA256
1d26db0e42d9c60882a71f490a5549a3444e5bfd244fd130d3b61189dfb975bf

SHA512
97d2106e5749fdcb6adf05f3d3e892ce58ed8c06e5416ca09e76abd37c0b603d1a881cabd83ec475ee2a734a83bd070e1f11da2bec904c8ebd666765768096ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
36f6ff8ee268e94700e2f308d53ad17b

SHA1
2a4152b40f6bf742e4641f6777f7827734bed875

SHA256
8700aa67568766b83a4aa4fb18d3c210f4d2207d5b124c050c4c2c3d61a6dcc2

SHA512
bc8ddb887093f8f828ae702ddc25179e2b3ff88861a19e253453754e3c3f3d8f43d7a0ddd891a48db86dce7a1fa37dcd816d50ac1c626fe44efc99ed36c898c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
315e01a48ed299cb0bb3e7e0363cf729

SHA1
2ffa4a91604c81be2ce99e36caaf446228bac73d

SHA256
d52219e736ef4fd5541a2715edaf3a704dedf18cebba6e88d29d740a997a62a3

SHA512
d88784afd7bfc76ade2e8085991166f723ff0a1ecb753c269e5fe08e2a10c57a0e69662dea8d1c65616838d57b76b31ce2275336016237683b37ad1e352d51b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ef91808ad9fb68b7429a485494443723

SHA1
4aaf043c3652848c63fc4de39955ac8c7f137681

SHA256
e5438cc5491c0adbeac1644f5c166994d65de318fcf37ededac107b229a2761d

SHA512
14815ab8364b12f4e1ee8f3fd95b84974663c6bcb4edd8c419ff6d1183a5b209a06c2674d95b7f8b916d01eda9f9166a4c4b442631676da1462f080730bfe272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8abe0b7507c428340331388865db94b8

SHA1
111e5c555b9efcb907fcbae205873ec2f687ba42

SHA256
e5289d6edecd3de8e51d97fd1b5dddb917ea295c31c3cf2ac1600b5762991fae

SHA512
10924043cca06af01955bd090434d39b40828c8fa9c5761fe7891b308b269d8dbd58f4b681157acb5f8c6b371371ab8baf48f83c4e1c62d892f8537201d0c477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
46e67af83f1ac1edc68bcdf69b91885b

SHA1
4aa7789df79f1c1048b846985d944f5ee354ecf5

SHA256
853333a0dbf2542897435bc692f85f0ec93d6876ee9ffd8ea61b2e17dd35eb98

SHA512
2f443d6b50eda693e17c1daa713130532b62ae5f91a03d59f4d1de764ab738fa1448b2f88cd09ecb7d50aff1e991779ff74d8d5db4142eb5ec545866ab3375a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
9f88dc2ff65d1683322e905de1df1585

SHA1
5197c1bfa426c796891c8b9da5bf882660325556

SHA256
b2ff93405c8575dbbaf5525b2ce1c33070cdd621e2735b4a07c6737c2c996adf

SHA512
0908706e74569c12f1405cd0b8f23b1cef115bb2c794ed0b16078f47ff8334438890f1b0b93b33f82007ab7de333e85aa7a577c4132b24c1b289028f22e0e27c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c2934b6b85d0e774a918481a88863a09

SHA1
a68d7e427093413845446138ce1c393cced288c5

SHA256
44e82c43a0d55e5e014e499ae6bfb597e596b71716517a464ae750312aa7ae4c

SHA512
a60c4dd4c7ff143f8a0fed0efd18c1eaf262a778d4aa84fa354294b6b96e8d0a52979ff20f9f029659641a48235a9a0378302aa33a214955bc542b07b3a62d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0e5e1fdf38780d902c7bf6285aec8c3b

SHA1
8e905a455c00a1f82ff9cd792ad002c0b7db9399

SHA256
e46c85b598a62650e27e5f293eb3149477edd8128ef203073d5948bd5cd1b203

SHA512
19c245049efbdf888bb21da61383f2f2fd3e8b328f8217f939759b3fc3e7bd1ae7ec22dce1e4a0693090f82a9cddd770730aa58988a44d9350418ccb5c44057d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3cec47717f7a3bdf5030ae8ccb52f5f4

SHA1
806cbb0eacd0420654be87a042146422f5f71d46

SHA256
f3ebd2f9a1d57ac3a75672f4f5055403cf861456ac963ded0bedea5b32330722

SHA512
782c44d13fa9a7f82a877c5c2d0ba50527fca1e0c722d680de4f8a0f1ba4d9a62b4c79b1ec5bd96386f2c05bc2d39209b2b4c7f2d3f5f3cdbb653100677c4afc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3115464584d192dcb739b86bbc5b7d20

SHA1
8df9d13de6e99a97c8d99a0ed87644e53c861bdf

SHA256
717c9d7a8224aecd3a03b232b7a8dbe88a69ce3db31ad26842484a3fe0a8856d

SHA512
313a47e32fa12d929ce6e8bd65b52f1e0a5bdd9360cb685b6285d8efa7e99d56c3bd90bedaeff8f0c236072c1b2d2a309737f62d758afecf72a040c03ec6623c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48a8b61037e94a88002b65ef8c2840ae

SHA1
b5ea8dbf9c6b4ba75354e24946bfcf33803731ae

SHA256
845ae0e4e8cb42d2b145a0309c8cf24fbebd11724010c5c1272d9ad2fe95d551

SHA512
6f8cdf670f779aa2e5c03357213e3aae5a0ff181e1f6475b2cb91484a69c591785db6f944129631acf79195dc3b052338122376e7a7ae6b6c6117d7d647b2363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8701c6598b2548753628286b3d831868

SHA1
185a523537b9f389ef8897f70f1efc385d9d0ad4

SHA256
c1a0a6be1c3584d707c5932e8313a23d939d6cd4631be13378b4e8ff655037e2

SHA512
a1c34376e823292dac3e7dba5d7a1067e6fd1f30ea5a2a0d83f8214e48a3b5040343e5b78de9fa477e152e572a5e789efb0d22ac1e552188e51e6d342df33a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
728d1a339ec6df7bc5c8f31b59f41a9d

SHA1
342629ac912e8de9bbbe6ceb76a2adc5819ada1b

SHA256
7fd0ffdfc5867b84158890c7adafd6b6761f5e810b31ad1b6260997c883e3577

SHA512
2c86aaecd80165d6bb82cd1bba92758aee8571293f43103c75dd85301f85919bd8fb97161a8a74607d4026dc6f0d7b61eb64b7455dfb53b4f780e942121d9bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
532cdee0156a42190aa3374b4cdad19a

SHA1
2f82c0b860a65f661cdeea00beccd7345ddd0120

SHA256
8ad3c50300cdcb92bd9fe3b829837a3bb8cebd7ddfe5559e9fd23f2ebc4f0771

SHA512
f9433fb24f0ce7f29e330990fd4adb3770fd0692717eee69939003e2936b88a12390b98762508654596d162d40407844b53151e2d2d327465ab73cba8027d347

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
fac6e5ba76c28c6eed97aa9aaa431d3a

SHA1
5ac6f6ec77f61681a0ae81bd0437fa132bef4080

SHA256
98139ede41e275b85ed34b9b9dc232c1eb79eb42affc1543926f9ea258b21a63

SHA512
16fae9f7286332e2522c1b666dc0867bd05d29c9f01a59a7c683ad0bbb4803693ab4f532ab61f7b364cabfc41e777b1b5e22687cc6f3d3f9e37f9b2fa9dbf9c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
c8462ef5f99553f86767f857b52b2430

SHA1
7f2f381275598c3a0484220eba0d0ee76852994e

SHA256
ab17568ee0bd7978cdd33471cbcf1887357822817b213f4b20eab0122dcde072

SHA512
dce0d50097b3ab2e966d5984251bcd1bbfbdc6075c78b537060d42ad0a92c50138b05dd7254d954d7b2e04cae118d8695e2aa6649c9c45b07e9d5411d3db7695

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Windows\Installer\MSIE5FB.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIE67A.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIEE9A.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/3876-2356-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/3876-2359-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/3876-2347-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/3876-2349-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/3876-2348-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/3876-2358-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/3876-2357-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/3876-2355-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/3876-2354-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/3876-2353-0x000002C50FA30000-0x000002C50FA31000-memory.dmp

Filesize
4KB

Download
memory/4216-4-0x00007FF92F923000-0x00007FF92F925000-memory.dmp

Filesize
8KB

Download
memory/4216-2-0x00007FF92F920000-0x00007FF9303E1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-1-0x0000019AFE160000-0x0000019AFE22E000-memory.dmp

Filesize
824KB

Download
memory/4216-2396-0x0000019AFE5D0000-0x0000019AFE5DA000-memory.dmp

Filesize
40KB

Download
memory/4216-2398-0x0000019AFFDF0000-0x0000019AFFE02000-memory.dmp

Filesize
72KB

Download
memory/4216-9-0x00007FF92F920000-0x00007FF9303E1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-0-0x00007FF92F923000-0x00007FF92F925000-memory.dmp

Filesize
8KB

Download
memory/4216-5-0x0000019AFE5F0000-0x0000019AFE612000-memory.dmp

Filesize
136KB

Download
memory/4216-2818-0x00007FF92F920000-0x00007FF9303E1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-2821-0x00000192E8720000-0x00000192E87D2000-memory.dmp

Filesize
712KB

Download
memory/4744-2819-0x00000192E8660000-0x00000192E871A000-memory.dmp

Filesize
744KB

Download
memory/4744-2816-0x00000192E89F0000-0x00000192E8F2C000-memory.dmp

Filesize
5.2MB

Download
memory/4744-2814-0x00000192CD620000-0x00000192CD644000-memory.dmp

Filesize
144KB

Download