njrat | hxxp://uploadnow[.]io/f/tv6ml4w

Resubmissions

10-11-2024 19:49

241110-yjqwdsxjcr 10

10-11-2024 15:11

241110-sk226aymex 10

Analysis

max time kernel
90s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-11-2024 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://uploadnow.io/f/tv6ml4w

Score

10^/10

njrat xmrig hacked defense_evasion discovery evasion miner persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

86.1.93.186:25565

Mutex

7b8566fe52762c19d1b844b254fc8d30

Attributes

reg_key
7b8566fe52762c19d1b844b254fc8d30
splitter
|'|'|

Signatures

Njrat family
njrat
Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/6072-3297-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/6072-3295-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/6072-3302-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/6072-3303-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/6072-3301-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/6072-3299-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/6072-3300-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3556 netsh.exe

pid	process
3556	netsh.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b8566fe52762c19d1b844b254fc8d30Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b8566fe52762c19d1b844b254fc8d30Windows Update.exe	server.exe

Executes dropped EXE 9 IoCs

Processes:

Bootstrapper.exeBootstrapper.exeservices.exeBootstrapperV1.22.exesvchost.exeserver.exeservices64.exeSolara.exesihost64.exe

pid	process
3516	Bootstrapper.exe
4592	Bootstrapper.exe
4368	services.exe
3232	BootstrapperV1.22.exe
2120	svchost.exe
436	server.exe
1104	services64.exe
5720	Solara.exe
6044	sihost64.exe

Loads dropped DLL 11 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid	process
3676	MsiExec.exe
3676	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4624	MsiExec.exe
4788	MsiExec.exe
4788	MsiExec.exe
4788	MsiExec.exe
3676	MsiExec.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

65 660 msiexec.exe
67 660 msiexec.exe

flow	pid	process
65	660	msiexec.exe
67	660	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

66 pastebin.com
70 pastebin.com
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

flow	ioc
66	pastebin.com
70	pastebin.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

server.exe

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 2 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\SysWOW64\Explower.exe server.exe
File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 5956 set thread context of 6072 5956 conhost.exe explorer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

description	pid	process	target process
PID 5956 set thread context of 6072	5956	conhost.exe	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\concat-map\example\map.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\util\params.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\dist\abort-controller.umd.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-exec.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\strip-trailing-slashes.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\are-we-there-yet\lib\tracker-stream.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\set.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clone\clone.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\load-virtual.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\parse.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\identity\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\glob\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\disparity-colors\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chownr\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-expression-parse\parse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\util-deprecate\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\esm\mod.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wcwidth\docs\index.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\smart-buffer\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\client\fulcio.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\get-node-modules.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\android.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\config.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read-package-json\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\render-template.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\valid.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\symbols.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-shrinkwrap.1	msiexec.exe
File created	C:\Program Files\nodejs\npx.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\xcode_emulation.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\oidc.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\configuring-npm\package-lock-json.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\bin\lib\timers.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\diff.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\isolated-reifier.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\encoding.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\init.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\process\test.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\remove-listeners.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\lru-cache\index.mjs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\spin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\extract_description.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\pack.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-slug\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\identity\ci.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\base-theme.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\operators.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\base64-js\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrappy\wrappy.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\normalize-windows-path.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-expression-parse\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\dump.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\supports-color\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\.github\workflows\release-please.yml	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\index.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\json-stringify-nice\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\configure.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\README.md	msiexec.exe

Drops file in Windows directory 25 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEB4.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4A8297C803510131.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4D9D49CFB1795407.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4530416578BACB85.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A02.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD7A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI89D2.tmp	msiexec.exe
File created	C:\Windows\Installer\e586dcc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e586dc8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB26BAF832E26F9D0.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI83F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8434.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7154.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACBE.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB099.tmp	msiexec.exe
File created	C:\Windows\Installer\e586dc8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7184.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7EA4.tmp	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Bootstrapper.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Bootstrapper.exe:Zone.Identifier	msedge.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Bootstrapper.exeBootstrapper.exeserver.exewevtutil.exesvchost.exepowershell.exenetsh.exeMsiExec.exeMsiExec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4868 ipconfig.exe

pid	process
4868	ipconfig.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 30 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 164115.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bootstrapper.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3028 schtasks.exe

pid	process
3028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exeBootstrapperV1.22.execonhost.exemsiexec.exeSolara.execonhost.exe

pid	process
2192	msedge.exe
2192	msedge.exe
3512	msedge.exe
3512	msedge.exe
4052	identity_helper.exe
4052	identity_helper.exe
3036	msedge.exe
3036	msedge.exe
1948	msedge.exe
1948	msedge.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
3232	BootstrapperV1.22.exe
3232	BootstrapperV1.22.exe
3232	BootstrapperV1.22.exe
4460	conhost.exe
4460	conhost.exe
660	msiexec.exe
660	msiexec.exe
5720	Solara.exe
5720	Solara.exe
5956	conhost.exe
5956	conhost.exe
5956	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

436 server.exe

pid	process
436	server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	process
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exeBootstrapperV1.22.exeserver.exemsiexec.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeIncreaseQuotaPrivilege	4804	WMIC.exe
Token: SeSecurityPrivilege	4804	WMIC.exe
Token: SeTakeOwnershipPrivilege	4804	WMIC.exe
Token: SeLoadDriverPrivilege	4804	WMIC.exe
Token: SeSystemProfilePrivilege	4804	WMIC.exe
Token: SeSystemtimePrivilege	4804	WMIC.exe
Token: SeProfSingleProcessPrivilege	4804	WMIC.exe
Token: SeIncBasePriorityPrivilege	4804	WMIC.exe
Token: SeCreatePagefilePrivilege	4804	WMIC.exe
Token: SeBackupPrivilege	4804	WMIC.exe
Token: SeRestorePrivilege	4804	WMIC.exe
Token: SeShutdownPrivilege	4804	WMIC.exe
Token: SeDebugPrivilege	4804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4804	WMIC.exe
Token: SeRemoteShutdownPrivilege	4804	WMIC.exe
Token: SeUndockPrivilege	4804	WMIC.exe
Token: SeManageVolumePrivilege	4804	WMIC.exe
Token: 33	4804	WMIC.exe
Token: 34	4804	WMIC.exe
Token: 35	4804	WMIC.exe
Token: 36	4804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4804	WMIC.exe
Token: SeSecurityPrivilege	4804	WMIC.exe
Token: SeTakeOwnershipPrivilege	4804	WMIC.exe
Token: SeLoadDriverPrivilege	4804	WMIC.exe
Token: SeSystemProfilePrivilege	4804	WMIC.exe
Token: SeSystemtimePrivilege	4804	WMIC.exe
Token: SeProfSingleProcessPrivilege	4804	WMIC.exe
Token: SeIncBasePriorityPrivilege	4804	WMIC.exe
Token: SeCreatePagefilePrivilege	4804	WMIC.exe
Token: SeBackupPrivilege	4804	WMIC.exe
Token: SeRestorePrivilege	4804	WMIC.exe
Token: SeShutdownPrivilege	4804	WMIC.exe
Token: SeDebugPrivilege	4804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4804	WMIC.exe
Token: SeRemoteShutdownPrivilege	4804	WMIC.exe
Token: SeUndockPrivilege	4804	WMIC.exe
Token: SeManageVolumePrivilege	4804	WMIC.exe
Token: 33	4804	WMIC.exe
Token: 34	4804	WMIC.exe
Token: 35	4804	WMIC.exe
Token: 36	4804	WMIC.exe
Token: SeDebugPrivilege	3232	BootstrapperV1.22.exe
Token: SeDebugPrivilege	436	server.exe
Token: 33	436	server.exe
Token: SeIncBasePriorityPrivilege	436	server.exe
Token: SeSecurityPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeDebugPrivilege	4460	conhost.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: 33	436	server.exe
Token: SeIncBasePriorityPrivilege	436	server.exe
Token: SeRestorePrivilege	660	msiexec.exe
Token: SeTakeOwnershipPrivilege	660	msiexec.exe
Token: SeRestorePrivilege	660	msiexec.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

msedge.exe

pid	process
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Bootstrapper.exeBootstrapper.exe

pid process

3516 Bootstrapper.exe
4592 Bootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3512 wrote to memory of 3508	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 3508	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1076	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2192	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 2192	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe
PID 3512 wrote to memory of 1512	3512	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://uploadnow.io/f/tv6ml4w
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff963d03cb8,0x7ff963d03cc8,0x7ff963d03cd8
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,12386901014650544530,2558720725226259944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbABkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAeQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAYQB4ACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3232
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c ipconfig /all
        5⤵
        
        PID:3540
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:4868
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        5⤵
        
        PID:2684
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
    - - C:\Windows\System32\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
        5⤵
        
        PID:460
    - - C:\ProgramData\Solara\Solara.exe
        
        "C:\ProgramData\Solara\Solara.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5720
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Drops autorun.inf file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3556
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    3⤵
    - Executes dropped EXE
    PID:4368
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4460
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        
        PID:3260
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3028
    - - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        
        PID:4044
      - C:\Users\Admin\AppData\Local\Temp\services64.exe
        
        C:\Users\Admin\AppData\Local\Temp\services64.exe
        6⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:5956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        
        PID:6044
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=48yTML2v9RKUS32RqWHhkBNF339PJYwB1KYnMxcRU76x5sq9oB58iBkQevqBsquoqdA3MAf9CZtu8UK4SqY4ebd1UMsRNEN --pass=ACL01567%98X --cpu-max-threads-hint=10 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=30 --cinit-stealth
        8⤵
        
        PID:6072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding AD3551E6164CA3B296EFCDB66D1987EB
  2⤵
  - Loads dropped DLL
  PID:3676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0EBE6749B65338D51B31A5F5E433D0D1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4624
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DDB097A33A066A4B474A525295B5AA1D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4788
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:720
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e586dcb.rbs

Filesize
1.0MB

MD5
a727ea9dcfdb81373e631cde526ce568

SHA1
22c8047aefcc4d2fb8bfbd33dd5de4e5331ae8e9

SHA256
b411f6d68fb078de7da6bc7cae24b5bd2d33dfaea9f9f17b8e6ba8fe3bd83ed3

SHA512
7bde15424523a35d67ca543e6806196af4f8b2e8f23cec6ac6b8eb09694133c5d9a94dc6e36e3545caa5c921f710210fe25dc23108ba3057636f31cf1cd2f8a4

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
2a6686d512ee9ba8b75e0bce9a794770

SHA1
465e00320c74d4481a5e7e7242aaeb60d02e2fab

SHA256
5afa5bcab0d66f0dc65ccad359650730ace53dff1d891cd33a9f54aa43d34419

SHA512
ff44d6f3e7be06c98077a00854edb0ca122fc5c98c976f86787c7b003d224f62c1079412e7c5cdb36c2a6df0825dd17ccbffe44eb264fa63e3d1e44654af74b2

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
133KB

MD5
c6f770cbb24248537558c1f06f7ff855

SHA1
fdc2aaae292c32a58ea4d9974a31ece26628fdd7

SHA256
d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b

SHA512
cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
74095a67afcf174857804dcc4ec2036f

SHA1
eb4c5a371632d780625d4ee6f0810537dc14310d

SHA256
23de5a8f8b4077a256bd0d9d8ec2653990b989ad7b21e698e38f39d47e8a49b4

SHA512
05ba63a3a02aed07b1dfcd51bfc8ade6e20fce215b9b6bb1941dfe2a599dbcc805c554c02154c686162483b4cd1d49143b144365da7116d24e152c3933e30f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9f6ac31f8a9142c3ba5e4750a98684ad

SHA1
1f7bb69d07c4243dd19421b34682979f0614b180

SHA256
bf0a55c29db67603fa3dbe8d9bdedcd2351d34f1efbababa7cb7f81b90f40c55

SHA512
4584a855b038d0f267ba3aa1cfec52c50d225882c1606bfd9b4ceb21572f3e64286a9cfdeca8cb6f33c644e129ca7d2a9c2ec83aa44816b4b2fe6baa63040003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9684f6b09d64cd45ef95e11173072fb1

SHA1
b22e911bbd23c052e6495adbb4e27d4794d718fc

SHA256
3d0a38ecd127b1b3b053181dc33cfe7288ead8558889d4f8bc4a00bda70c19ff

SHA512
21dd3146253af1c51e8e967aac85d1c0197b0bc35d126c1202707b126d1afd63403d28b63794da054239bb74f178c403a40a94b4a6b1fde280fe6e905bef2e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
407b02e07be5c40ba7ae3bfc084b1051

SHA1
466ebdba2948cb03a1dda96217766d36ce912769

SHA256
134dfb20b76697726d48a7878dc8545fe081a3901249e6999a29ccd2e19bebeb

SHA512
911058d2d29b9cdb27728047d9193128574c4b2484b43c14b4dff17b1c04ea0acc737fc241435ada2433a22263cbf1feb168c809a47860b9a1888fe564660cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
811ae8456fe612f2d3a42e71d0bb874e

SHA1
15df0c62a1b9c5a58a9dafe8971de417f9db203c

SHA256
9a9bcae00692ad81d4b816960828de822f538d34a2c88235e887feb99062c68a

SHA512
7b6bbdf2ca15484d4b0186df65254f21811d3c37e43dbc64b3f0b090deb615193cb90f98f48ba2fca45bd140404720840c881a4adc0933308ad22d58f6a81431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dc6fce585eb658bc6354371c4c9378cb

SHA1
a348d582ae7a60849f32e17d63a1427a30ebe3d4

SHA256
d0b5d72feedb80a96bbb70c095fb78d55c1c97d1fe57cc48349b82cc63206a08

SHA512
38da4f0df178bfc949a698a89bb022439d2e2d2fb5c754e4f6c0d011f6045241d9933b32b4e2bbb7b48db03e365f2e4c6499792e81dcc5d07e51bb6a692545db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e5ccc141c336a665a3ab9216fbc0cd11

SHA1
2e20b87133f39e8d60ef6d0536d15632d1c297bc

SHA256
df2fc6a7f25a54ec2f63bba22b9136cd35ce63c0fe21bb82bf28bae3d482c7ef

SHA512
46c5c29e321ce4b366a464bb7501381a9a3ca1cb58ad044b3bfd4e94cb6ea4f16ac996197b70bf18bff61fc64e2ac25d5921748628169ef2e70a1ce100e38183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
d4b92260e05512222bef99a034e39eb1

SHA1
8da7818160df74a48fd1d2b2a6f372a4ec28c67a

SHA256
9c9ef363ae26559447c1534726f2563ca788f70a40773053309ec35c77e1a340

SHA512
d40ef948f6488285d3c44b6b8551e32aee274321374d01f4bf3ace4b01a3377f51cd6c50c6ac846cb11c5368cea0b8a3dc6b62fc194d3ef09e615dc8c5809cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5828e0.TMP

Filesize
538B

MD5
5b1a0ee91139cc22c85f6981c73a958d

SHA1
b8232ac51f39ded31b747f183db275c03e20cb7c

SHA256
820cd6939ca82eb5a1ea3f331f1f95b4677c510881c2fcac0b3ecc4ed3c7a3b8

SHA512
845ef894f2965877adefedf428f859139a2df7cca1e32f74f31e97e7394a29b42012aedde026b47798685f1fbaeadaa3bff710a287b7b7a41720a1aa7f2b6f7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e56ece7877c339a49c7643b72ecfd20

SHA1
fecab5707e7a2f0127d42aa4007c0903addf9475

SHA256
e2664e9ae843a861ef0b0c755a1d9506867b893c199ffa62435adef75581e309

SHA512
b7fe1306ac3bd8d4b816e3b0cc09d5978d07075398a66bf9a8d761a46fdf9dc3cefff45a92a19daa43b0d1defaada4369ca37f9320793ab4cdf25a9dcb0964ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8f38152e5bc0b599a4bdc9b06d5d12d0

SHA1
5010c1ce13c6cb5e4912d74a015bb73e35516d89

SHA256
f289cfa7ba576b96eb317894d219f2d37c73264cd9470f7bc574890de43eadca

SHA512
142aec8928f05eac2b630d47af8f05b008ff2b5af7abb0da444be12d8b35137197416ef0d3b34cb926732236d95783d652d0e3554289581e50760d2973d7cfc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
024f9d8803ac0b992887453a56054a61

SHA1
119fcb72e49436f1be7224802c19c60fdba79bd7

SHA256
d11aef0994956ddb0a8d2dcc492a0266146f1fb2f479cc98d6e0481f0b5043ec

SHA512
a4f35f9b7c847bc85c374bd48b9ff110aec043295e325d86f9dec35ab0e16bac1c79ab037aef980d7e7ef7d15b8d7bc721143c5517c1075011c8c5c886eafd5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
07bb86558bf8abb7b73da5367f15352a

SHA1
f3c30f3a8f21fad8c26071289c9aaffad93ce9e8

SHA256
53057d88bef8a301a951b7fb1a968827a01457d81e9be325f977cdfa7d69994d

SHA512
a74fc531a33d64a04eb60173620866232eb1edc7a2f508538a3c0c3187712415250df75981277e38d3d8a1f0a17a51ec8d05f9010ac58e7c2b17cc5cd411cf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
19.0MB

MD5
4581b2e238f1dad629dc72c168b2be8e

SHA1
74dce1860065aad35cb68115545bdf862bddb775

SHA256
233f9f88c16fb185eb91f4afc116b808eb8fa5fd0cf1b3d3a92ec6732c56314b

SHA512
dcea04ffffdf35107a0cd6998eaef3f91270985c80028c206f59ae7d9b193defb3089826a7d1118391f849618904fdf7e77621348531b711d2eac89f422d132a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uzue5tvn.ugh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\AppData\Local\Temp\services.exe

Filesize
2.1MB

MD5
582f9aacb1d35829e8c0456c292003dc

SHA1
6a78dfd8053c7843c08f9e0f25d37bc1bedf6d17

SHA256
09b17a2f3466045465789a7bc94296b911376b156f51829b9e8f23182cc81b21

SHA512
b67d1e44b3ca02f2c35fbfa662080dfae87260b6bf5eb095c7602ecaf35387e5c7d95c98b86bf8b69f9b1d38cf129aec54ed784f1dabc92a6c7742914a4eb9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
93KB

MD5
053913a8ea56bc5973dd3aa48dfa0a57

SHA1
f291c838cac064afe19dc618df7dba91c71c5ec6

SHA256
d6147d18985d4ab04c8e23d1f755ba92765ea63daf8bb498b18dbd5586ce8a25

SHA512
31d52760f4ae13f57f87ab17124141e55560c52e41ed013d9739fb1b856f1b1f02ba2f23f0b1ca7640a2edcb5aadf6511160d2f65625db3951082e85e3e16643

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
31KB

MD5
d03213e112515c99355a95483dad6dd1

SHA1
22d38b9fcf40532bc77d9e41087911b54b068bac

SHA256
7cb98cd26f6683ce15c072aa44ff04472a96cab1c7767832b7dc03841c224997

SHA512
9c6aa5fc1f3c1798f1c5e2f83eda1a214c9701993c65fbc606eef7b970b7ae37e1f44c3bee6a07d2f6c766c522cb35f87da1c563c810cb4b034d87cc4caa5c93

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
a65a8cc18c0fdcac3b78ed8f032e2f98

SHA1
9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

SHA256
ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

SHA512
8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

Download Submit
C:\Users\Admin\Downloads\Bootstrapper.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 164115.crdownload

Filesize
21.1MB

MD5
ad628bd8dbe3a4510fdada93663a809e

SHA1
aaa355b0854bd109bbd747bce409ac1cae5702ab

SHA256
26efbc17532e7b5e74578e2fa52992d9f9d1288bf7e495c134e49baa5a05745e

SHA512
dd30894709d8a850080b96d8f147bb29d7af7ba7a3f590ef34b4d98ce7a76d14869b5ad90124d539be4ab2a1e191356ee14815481a0ae7c5740236be6a1dd42e

Download Submit
C:\Windows\Installer\MSI7154.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSI7184.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI83F4.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
\??\pipe\LOCAL\crashpad_3512_RXEKVKXHXSEDVZBI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2556-354-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/2556-365-0x0000000006110000-0x000000000612E000-memory.dmp

Filesize
120KB

Download
memory/2556-393-0x00000000076F0000-0x0000000007786000-memory.dmp

Filesize
600KB

Download
memory/2556-392-0x00000000074F0000-0x00000000074FA000-memory.dmp

Filesize
40KB

Download
memory/2556-390-0x0000000007AA0000-0x000000000811A000-memory.dmp

Filesize
6.5MB

Download
memory/2556-391-0x0000000007460000-0x000000000747A000-memory.dmp

Filesize
104KB

Download
memory/2556-378-0x00000000066D0000-0x0000000006704000-memory.dmp

Filesize
208KB

Download
memory/2556-388-0x00000000070F0000-0x000000000710E000-memory.dmp

Filesize
120KB

Download
memory/2556-389-0x0000000007320000-0x00000000073C4000-memory.dmp

Filesize
656KB

Download
memory/2556-379-0x000000006ECA0000-0x000000006ECEC000-memory.dmp

Filesize
304KB

Download
memory/2556-397-0x00000000077B0000-0x00000000077CA000-memory.dmp

Filesize
104KB

Download
memory/2556-394-0x0000000007670000-0x0000000007681000-memory.dmp

Filesize
68KB

Download
memory/2556-366-0x00000000061A0000-0x00000000061EC000-memory.dmp

Filesize
304KB

Download
memory/2556-364-0x0000000005C20000-0x0000000005F77000-memory.dmp

Filesize
3.3MB

Download
memory/2556-396-0x00000000076C0000-0x00000000076D5000-memory.dmp

Filesize
84KB

Download
memory/2556-355-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/2556-353-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/2556-352-0x0000000005420000-0x0000000005A4A000-memory.dmp

Filesize
6.2MB

Download
memory/2556-350-0x0000000002C60000-0x0000000002C96000-memory.dmp

Filesize
216KB

Download
memory/2556-415-0x00000000077A0000-0x00000000077A8000-memory.dmp

Filesize
32KB

Download
memory/2556-395-0x00000000076B0000-0x00000000076BE000-memory.dmp

Filesize
56KB

Download
memory/3232-349-0x000001C9CE8E0000-0x000001C9CE9AE000-memory.dmp

Filesize
824KB

Download
memory/3232-437-0x000001C9E9040000-0x000001C9E9062000-memory.dmp

Filesize
136KB

Download
memory/3232-2861-0x000001C9E9020000-0x000001C9E902A000-memory.dmp

Filesize
40KB

Download
memory/4460-468-0x00000298A0B80000-0x00000298A0B92000-memory.dmp

Filesize
72KB

Download
memory/4460-466-0x000002989EA80000-0x000002989ECA0000-memory.dmp

Filesize
2.1MB

Download
memory/4460-467-0x00000298B9940000-0x00000298B9B60000-memory.dmp

Filesize
2.1MB

Download
memory/5720-3278-0x000002A1B1960000-0x000002A1B1984000-memory.dmp

Filesize
144KB

Download
memory/5720-3280-0x000002A1CC680000-0x000002A1CCBBC000-memory.dmp

Filesize
5.2MB

Download
memory/5720-3282-0x000002A1CC230000-0x000002A1CC2EA000-memory.dmp

Filesize
744KB

Download
memory/5720-3283-0x000002A1CC2F0000-0x000002A1CC3A2000-memory.dmp

Filesize
712KB

Download
memory/6072-3295-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/6072-3302-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/6072-3303-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/6072-3301-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/6072-3299-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/6072-3300-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/6072-3298-0x0000000000B90000-0x0000000000BB0000-memory.dmp

Filesize
128KB

Download
memory/6072-3297-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download