xworm | fb764f1a547a99a62584b1c57ecb1b852fd3f0ce6bf742f2806fd2d86fff2ea3

Resubmissions

12-11-2024 19:51

241112-yk6y1asrep 10

Analysis

max time kernel
538s
max time network
539s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arduino.ino
Size

753B
MD5

bad8ee7aaff8ec856f69fedda9626501
SHA1

b2051bfa6415c08db7f61ddd88511af7a6361d8e
SHA256

fb764f1a547a99a62584b1c57ecb1b852fd3f0ce6bf742f2806fd2d86fff2ea3
SHA512

96ef127b219c4801a5dc82c7ef1937e80e6e880172debe8ea6345ca69d7f628bdf3a035c142e286d4a5cb6bb1cc135770fcffa1669dda32709888036a10429f1

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:56069

front-applications.gl.at.ply.gg:56069

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2516-3849-0x0000000000C80000-0x0000000000C94000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5772	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	node.exe

Executes dropped EXE 30 IoCs

pid	Process
5244	node.exe
4072	node.exe
3244	node.exe
5800	node.exe
5040	node.exe
2196	node.exe
1164	node.exe
6068	node.exe
6076	node.exe
4260	node.exe
932	node.exe
4752	node.exe
3952	node.exe
3260	node.exe
1320	node.exe
2548	node.exe
6104	node.exe
456	node.exe
4216	node.exe
5904	node.exe
5292	node.exe
2348	node.exe
5868	node.exe
1352	node.exe
6080	node.exe
2412	node.exe
5496	node.exe
2516	cmd.exe
5492	node.exe
4308	node.exe

Loads dropped DLL 7 IoCs

pid	Process
3604	MsiExec.exe
3604	MsiExec.exe
4424	MsiExec.exe
4424	MsiExec.exe
4424	MsiExec.exe
5752	MsiExec.exe
6076	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
104	4200	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
5976	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\cjs\src\mkdirp-native.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\map-workspaces\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\trust\trust.types.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\verify.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ssri\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\util\glob.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\json.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\lib\untar.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\retrieve-tag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\auth.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\commonjs\platform.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\platform.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-repo.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\role.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\emoji-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\cjs\src\use-native.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\docs\Testing.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-scurry\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\shebang-command\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-run-script.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\token.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmexec\lib\is-windows.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\registry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-config.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-exec.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\lib\reporters\install.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\commonjs\fix-eperm.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\string-width-cjs\license	msiexec.exe
File created	C:\Program Files\nodejs\corepack	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\fs-minipass\dist\commonjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cross-spawn\node_modules\which\bin\node-which	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\proc-log\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\lib\reporters\quiet.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\guards.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\removal.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-license\node_modules\spdx-expression-parse\scan.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\extract.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\make-fetch-happen\lib\cache\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\retry-busy.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-slug\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\timestamp.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-scurry\dist\commonjs\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ansi-styles\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\mjs\find-made.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpack\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\read-json.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\proc-log\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\minipass-fetch\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\corepack.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\build\index.cjs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\rimraf-move-remove.d.ts.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-uninstall.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\minipass-fetch\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clean-stack\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\emoji-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\esm\mod.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\@npmcli\fs\lib\cp\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\definitions\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\make-fetch-happen\lib\remote.js	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB16D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7721.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7192.tmp	msiexec.exe
File created	C:\Windows\Installer\e58700d.msi	msiexec.exe
File created	C:\Windows\Installer\e58700b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58700b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7172.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79D2.tmp	msiexec.exe
File created	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133759147235565661"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\PackageCode = "7ADA4E96FE88DF64FB4F54512750A882"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\ProductIcon = "C:\\Windows\\Installer\\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Version = "369819648"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\PackageName = "node-v22.11.0-x64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\NodeRuntime	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\ProductName = "Node.js"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\corepack	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2180	msiexec.exe
2180	msiexec.exe
4072	node.exe
4072	node.exe
5800	node.exe
5800	node.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
1904	chrome.exe
2196	node.exe
2196	node.exe
6068	node.exe
6068	node.exe
4260	node.exe
4260	node.exe
4752	node.exe
4752	node.exe
3260	node.exe
3260	node.exe
2548	node.exe
2548	node.exe
456	node.exe
456	node.exe
5904	node.exe
5904	node.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
5868	node.exe
5868	node.exe
2412	node.exe
2412	node.exe
5772	powershell.exe
5772	powershell.exe
5772	powershell.exe
4308	node.exe
4308	node.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	4200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4200	msiexec.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeSecurityPrivilege	2180	msiexec.exe
Token: SeCreateTokenPrivilege	4200	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4200	msiexec.exe
Token: SeLockMemoryPrivilege	4200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4200	msiexec.exe
Token: SeMachineAccountPrivilege	4200	msiexec.exe
Token: SeTcbPrivilege	4200	msiexec.exe
Token: SeSecurityPrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeLoadDriverPrivilege	4200	msiexec.exe
Token: SeSystemProfilePrivilege	4200	msiexec.exe
Token: SeSystemtimePrivilege	4200	msiexec.exe
Token: SeProfSingleProcessPrivilege	4200	msiexec.exe
Token: SeIncBasePriorityPrivilege	4200	msiexec.exe
Token: SeCreatePagefilePrivilege	4200	msiexec.exe
Token: SeCreatePermanentPrivilege	4200	msiexec.exe
Token: SeBackupPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeShutdownPrivilege	4200	msiexec.exe
Token: SeDebugPrivilege	4200	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
4200	msiexec.exe
4200	msiexec.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe
3596	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4380	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1384	2176	chrome.exe	95
PID 2176 wrote to memory of 1384	2176	chrome.exe	95
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 5060	2176	chrome.exe	97
PID 2176 wrote to memory of 2724	2176	chrome.exe	98
PID 2176 wrote to memory of 2724	2176	chrome.exe	98
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99
PID 2176 wrote to memory of 1188	2176	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Arduino.ino
1⤵
- Modifies registry class
PID:5012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x74,0x7c,0x80,0xe8,0x84,0x7ffeb9d5cc40,0x7ffeb9d5cc4c,0x7ffeb9d5cc58
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3136,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3700,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4684,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:2
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5268,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5220,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5580,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5264,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:3628
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\node-v22.11.0-x64.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5640,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5876,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6032,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=832,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6092,i,13282019958640965272,11992690666328124703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:1504

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3256

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 18610E30FA05632DA17E48238CF93312 C
  2⤵
  - Loads dropped DLL
  PID:3604
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:552
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 02BCE2327DBA4B9FCFA299950C855344
  2⤵
  - Loads dropped DLL
  PID:4424
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding F7EF3CCB6EBF4B70550A17A8614F25CC E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5752
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 00D1449501945101AA10294F0F4F8DCB
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2968

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5608

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5468
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:5244
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5692
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:3244
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i fixexec
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5528
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:5040
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i fixexec
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5560
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:1164
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i fixexec
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:6068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:1076
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:6076
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i fixexec
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5948

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:884
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:932
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i [email protected]
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:972
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:3952
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i [email protected]
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:3916
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:1320
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i [email protected]
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:1136
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:6104
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i fixexec
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:3248
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:4216
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i fixexec
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5904
- C:\Program Files\nodejs\node.exe
  node index.js
  2⤵
  - Executes dropped EXE
  PID:5292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5756
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:2348
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i fs-extra
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5868
- C:\Program Files\nodejs\node.exe
  node index.js
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:6056
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:6080
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i sudo-prompt
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Program Files\nodejs\node.exe
  node index.js
  2⤵
  - Executes dropped EXE
  PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\c9a9fb14b6f576c1ab246f3e71fd495f\execute.bat'" -WindowStyle hidden -Verb runAs"
    3⤵
    - Hide Artifacts: Hidden Window
    PID:5976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\c9a9fb14b6f576c1ab246f3e71fd495f\execute.bat'" -WindowStyle hidden -Verb runAs
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:5772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c9a9fb14b6f576c1ab246f3e71fd495f\execute.bat"
        5⤵
        
        PID:2272
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5568
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Executes dropped EXE
        
        PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5088
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:5492
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i fixexec
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4308

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58700c.rbs

Filesize
935KB

MD5
85b02b8203e54258a55bdfcff70077eb

SHA1
ea432282d018782b8b87f5a93d3cef98310c4f4f

SHA256
0f8f3e4227b7a854eabb0c416c4ff301ba4cd68f0612b23a2a6e6e41a7c7a8a1

SHA512
8357e328f76035edcf1dfe8c157c351ca001bd3c5b71037bc229a14209e6cca1954168afb34fcaeceeca47c103849e639fcba503eb840ae0bb0ed458a81485c6

Download Submit
C:\Program Files\nodejs\node_modules\npm\bin\npm-prefix.js

Filesize
864B

MD5
92dd1b5a463374142271ff420cb473a5

SHA1
a9f946c6a8c6f273f837703acc74c367b7781a99

SHA256
673f620e40137c295f2cf057364468bf3a71653dfc0973be895ebf7a8c368c2e

SHA512
5e0a6e4a9cff4b37acbece070a592a65ed044a78e1b104517eb5bb233d4398f67140b44e986e7a2de16bfb65b0ab7609e831341efea2a6f583258b6a85f70e01

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\index.js

Filesize
29KB

MD5
a2819bc319ade96e220b81c11ba1fd62

SHA1
f711920489d12ac7704e323de4cea98009299e7d

SHA256
9976a7f202a683370a170f8ab053d89cf6450c9d0596d8bed92bb762f0dca92e

SHA512
64b409c59d3e7df84ddd87163fb03f38d1bbed259323392685e01103ff9d2a43b456a5df5812e2bd3de61e0ae61520ccad444a92ea908a15bd871146630edd32

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\type-defs.js

Filesize
1KB

MD5
8385a8a608e5cdd5a79957a6c979fb28

SHA1
d20fd55ae3664cd339245fdd26a28983baf97f2e

SHA256
5f8cab3a4133b226c653784d569a9bf3e5a2ee76ac73b9156cd58a2c72839648

SHA512
3bec37444635d9cdc9a2f1224fa9160213fc4dd1234e98080c7ec825f07785ac93d4a88bf8bb4bb91470ec070da9b32acc20b111d2d3fcd15397a8e641dd6eac

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\umask.js

Filesize
949B

MD5
ae8c8f3d710c2c7a5cacbcef9c6f9646

SHA1
3fabbd5fcbeca40267f54aa7f523afa573062ad3

SHA256
9aec687f45f435f9f198e583f35b5f5a4cd0d66e21c2e6e9c772fd8ccbe65b68

SHA512
94d94b24e7eafbf499923e92020ed5f7bf8aa606f3031ae4b99fdcabab2625a3bd84c60d6d1f236509c5281becbe06c697911db10dbc2b014bafa3903b5f00ce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\package.json

Filesize
1KB

MD5
901e577d669d97e811a11f172dfb6655

SHA1
25d518b50deb389e311821d64d4b0b106618d7c7

SHA256
245d5f0e2a7508229e1cd3ee5f518d93c99eb8280fb35f7df149fe5222bb8af5

SHA512
ead727e7e751b897e060abbfdbc97ffe8d2c3efb9baffaf922ff97d8d6366bd7cc0727e4355cc4679d065bd2892d2550ab3349b235d9b0e6e0475cb6bc59f397

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\@npmcli\fs\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\p-map\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\yallist\dist\commonjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\fs-minipass\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\lib\ini.js

Filesize
7KB

MD5
84b82e208b562cc8c5a48cf65e6ab0f0

SHA1
0adca343dd729beb86ebbb103f9d84e7ebbd17af

SHA256
481b00a4ebbfc83b28b97d32dccd32d7585b29b209930d4db457d91967f172ad

SHA512
377034e60d9d2ef3da96f23cb32f679754a67d3cd5991b1ad899f9f7c1910dcd0d9b0a1b0530046b6016896bd869a1607ef29c99949407959dcece6f9da790f5

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\package.json

Filesize
1KB

MD5
5b29ab3cad80b08ec094c8201333ebe8

SHA1
dee99f05b24963959159f1f061926e9075679be8

SHA256
94ebf2db52f15b5da55a809977e04f02b052abf418cb160a8d0719362295d867

SHA512
a6e66ade3de2cd308b1081548d2e58a87aad15baaa236c4dea73d36a946b6de352c3765d188f350c9311ebea0efc8b0068a8a7e0025e3dfdff84b737be4e475a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\debug.js

Filesize
186B

MD5
1d97bc3d56be902d4f63b37b05f3ad85

SHA1
ace1fd823fc44e12a25448db2b5a49e20973e506

SHA256
0eda498431dfcb77febe2e79b4a63139559d3f42b21e8b81fc3879a3f6dc3c46

SHA512
fb52fee500d9099339b4d60f9aaab8bf613e7387848ff6ef3d2ce513d886298ee04810fb1f2b107a317cf4e1cea60a26ff4797b9cad3b11bbc26af0852e684ee

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\nopt-lib.js

Filesize
12KB

MD5
94443c174d88f844a9ccc4b910f630cc

SHA1
fcb80696d47cad01738194971bc75c5e249044ce

SHA256
ff669467a8d425130753c6169ce0ce909d45a110d36b1c37949608fa4395fe56

SHA512
1a8eefb98b810cc183fbbac805c51f3b0714a195376f81eb90d12173a26165970e06d1192f089691adc21f2076056409f1a0557cdf8edfa9d389450e6c727daa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\nopt.js

Filesize
985B

MD5
f1f7369cd4f213cf2ae9469f4d1ef1f5

SHA1
cd7f1eb598f3ed855eb9033010dafc0198bf70c1

SHA256
10623659120996267168230ef2ffa9cfb7ce00422175d21476074c48d5262c18

SHA512
54b8adf2466118da90b84ecc2faa1c70a043679e542dd8631a50fdda883faef169d14a85cc64e2db33b492ac87c2a781bb9f454326b472cd5c61fe82434d115e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\type-defs.js

Filesize
2KB

MD5
0dd63ef9ebbb7c6f5a20aaba3d799be6

SHA1
bd7d41bbdf8dce506c049cdcb339c6015fb11290

SHA256
6537bb9b4df3a1af3e14d5a99d58e75180878a3e96a4bb3bc9760b052b53c5a5

SHA512
b0f065c9749023493720f1102b7bc1b2506f449c67c57aba40aff591f6a03a8640149e9573bf0ce4a7664909b721d893b85e350fd488e6de6cb8afbb10d76bbb

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\node_modules\abbrev\lib\index.js

Filesize
1KB

MD5
553252424d89d17aade6a0bdab1f1c1d

SHA1
1cb30c6f75014eec81b10c27d51413a2f0fafadb

SHA256
89ba3bd4b34ed7130749b098f18a78af725bba43b674039ffe801e8cf85df93f

SHA512
5e2e0d87c0268da9245265cf69ff500296d3d59219fcee673e1ef5149b63e44259eea60a739f278c57042fd2c7e3e95d1504fe9eabd3a931c6cc28574a49da8c

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\node_modules\abbrev\package.json

Filesize
1KB

MD5
aa721fce40b4331d0ded9cb9c29ea599

SHA1
aeda7805291dca4b7fac211a623fd103e51f10ed

SHA256
ddeeecbb529261a5754f8e367601c66ace7822603315b776c330fea3524dd7ca

SHA512
0e245447309ad24a24338909f65f8fe39a949c72c536f5a0ebbebe9cba28cfdfff414caece80cc866e874678019131fcba93f569341d9346bd04676b669f318e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\package.json

Filesize
1KB

MD5
80bdf8901061eac24047d6b001499e89

SHA1
a99d447473406d5e862ae9337b7aee363a8d2f13

SHA256
8d349e100fdd613174f8b3c58149545e3d69a959b7fa3f466d457825575f5b3c

SHA512
b81099e82c23e809a558b8fb164338f3faa784e044d558daa4a09ab26179fc4594e170419f9e3d7b26baafb93d6981f001d2e8d3bab023767d219984b4769f03

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\LICENSE

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\proc-log\lib\index.js

Filesize
3KB

MD5
aaf4d3f519676aa3f490218a47fa6042

SHA1
9991f1ddc9b9a818dd4e9c2ad2dcd2b7c3ee7753

SHA256
f6c7ee8376eb6720a9b5149077648a0cc74e749c928f36bf88bd4dc6728d663c

SHA512
4ade93ee5fd3531389e3fb7f5f2db1fb8b99c2eb1fd769cf0a5ce726d1c4cf27aab1fcfa5dbc17dfe985879f00cf032a44e5c169cb40e7d4d27462a4033d2085

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\proc-log\package.json

Filesize
1KB

MD5
b9eb984a5b149084bb675358404d83ee

SHA1
2c87199e46d74c4de3202607efde64947bdc250b

SHA256
25f1b2da27302598083b749278018f7bd5cf42b8632df48428e07371e6386380

SHA512
4f3b72ffa47131f28a0ba85d9266665cad623bf72786b56054dcfa71cdac8d89b2d8be53db96dbb05d17035800fd6673f6143a567b0474748f3adeec1771dd57

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\package.json

Filesize
1KB

MD5
908ee832e1efb27e9faa3318cbc40675

SHA1
f48baa57e29980f9602f30351fd68ba2da243ce9

SHA256
a820020098f708cb9f785b2b0a3ed55a67c16f049040cc134a473547e573a019

SHA512
310efd80ef6522170afd617b9afd4a61263c4a6ec469fd63b0e67b595516b7146160a5ecd4b876f2b2dc21d93ec1ea1f53e169cc7fa3913a38fd56dfbd6cab1e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\proc-log\LICENSE

Filesize
757B

MD5
8bb6f78000746d4fa0baf4bdbf9e814e

SHA1
4b7049331119a63009aec376677b97c688266613

SHA256
a5103404e4615fa1ed46aef13082dd287bf4b95964e71ffdf198984b3d5882b8

SHA512
ee6874e77e33e0e0fe271ae706b344696201c1c204356e271705d9b0687bb597991c3b589d0fa6b6b38dd2933026c0996b37bc13062a5acb2fdc7f3359cdb262

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\dist\cjs\index.js

Filesize
474B

MD5
54bd6e9d21ed6021e374d34cfaa3290c

SHA1
e71ef5c7bf958f1599fce51cc98a73f849659380

SHA256
4e86e409d7506477caee910cb50f5bff1dda477878da923bd3888501e1a04036

SHA512
7424455a64824b7ffe72c3ed521684d7ab279b4cabb0fc018e9db04662a92af9187efe30f5a442c3418705895262de6e057858c3cda00c634df3cbc6eebb2407

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\package.json

Filesize
1KB

MD5
e6b2ad09f00a37da8012022f4b9e0461

SHA1
9af557e76ab4036536d792ca9b3c37d4720c0587

SHA256
2d43790293eb562918790e7fe2a786d86ed8e5a95b45d5e36587be0dbc8ddcd4

SHA512
9ea06c09a0837495bbae225d2913f55f53d5f81b4949bc1640d2cb460e3f61d4d39fbb88a959adc56ca7557870a069e1ec2a92b0c759b457731e93ecad8f9eb7

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\Program Files\nodejs\node_modules\npm\package.json

Filesize
6KB

MD5
a635c09a3ba36d76e04158ba070c32e2

SHA1
6bdda03a1e34946e25fced365eb9da0df97e9e29

SHA256
6f1feb793d2cfd5ba2c5c9aebe4cd7dbb2d44a401b99d48b14ea3b54cdef2446

SHA512
cac45d9a50fe2b7b786613b3de9dea31921bce05e2bdf5edf07cc3cb6e4a947486435b5ba7b23a34b8f674b04df5d69628c6954e159e7beb6e59b00893eae818

Download Submit
C:\Program Files\nodejs\npm.cmd

Filesize
538B

MD5
6895fc6423c97fbf721a71333137d1ca

SHA1
e0a531a3a869f2c3bb1ea91801a8a386d6aaf73e

SHA256
21b46c69ad6e2f231f02a9e120f4ba6c8e75fef5a45637103002eab99f888ab8

SHA512
0cdaa6bbeefeabf676839d88e96a096b13b9176bd936e11665ebf01e57540e131981a7bee4f113d2b5bd6858656f7cb689d29ee81d9f9e8d7f87d2d91e041ac0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
72b8c907a5d50eb4917010e78ef8a23b

SHA1
a3e7ebff0927ae76cecdedb6e81422be78786bd3

SHA256
f6424b15af9a46f0ebef4cc2ca73a2b534ed22b2acec189ee9233fd815187e20

SHA512
9def64b5fedadfe38456c608be144706fea63847b5fd4f636af048b2886d88779f8b1268eac2c33e1edf9cc07deaa64de3ab5504b8a16d19e2b03b22b3a08dcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
9a991506d06755a35913689b313e2337

SHA1
6bf4ca8b8856b20d25062ec94c930f7bc7e8dc63

SHA256
b413be294aa14be865f49a949eedbb14614e0aa1808808c7d4c864a744797b9f

SHA512
8466d15754005c8da1571070975406f109ed98a2b319287e2edcea33cc6c7aa2749585859187d96bea1ab7dd215c7403b066dc30bcb1164f8282397a8705543f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
134944d57347a59eb78d147b2eef9782

SHA1
c8e6ddff18663e6e55b5bd57856df397a811acbf

SHA256
69aa139c431c6690751ece212ccee8431346f20921e40ea49c66a467e2ac7695

SHA512
4156d0287690ed0c0554e1ecefb89036f3fa6c4ec870353d25a6bdbb3deea4aafd8e14ef2553387a8f502e1e85b4da22da46cca8fba204814c9f52032f558f99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
19818ddcac7e6d84edda2d202a8bd6f5

SHA1
078a354358a3ab745489ec949e64e71b73f800a7

SHA256
376fd6fec42ba09d21b131410ebd956b6c768597d3bba28d120060ca8f8ca64c

SHA512
646010ea61958a0af74cf6bf53623fdc233291cdb309b7d92dfc1cce33444e57c693c3186b54ac7e082106fe02a48faefc02ff647a5eb09fc2b945f12d0df36b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
8ec1810119258c9f8e708a60e453a259

SHA1
39b790023db80064241cb499554fe8e1e0c3796b

SHA256
dc33b59b04a2d56187e7be8024c8f997c6f8ff79829f17fcc9c393faeb92cbcd

SHA512
3cb944491521c49787b531449d118a889845495063c4fe5d9d3abdf5a02aeb4711cc570215ecf7cde226ff8c50a7cdf830b67de0295697d2802d197b1c162723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
fc22b5abac672155f97936b4f8a091b1

SHA1
a0ca54d107ea21c9b31478727f60f7f623de86da

SHA256
57f037587dcc83c2789f952ea3d430a5a90c47ea383f20f1f4c7eaeb1adcff32

SHA512
f3dbe4feca4a54c79a227bd6a4322a0e91b2209c80a8ceb045cf45c23e929ac7623ee4b60f49a5ea0aba68e433a23ca248afc60f3ac3f0b8e3c4e8924f3c99a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
891cc296d78e59cb0efa5f46bc818206

SHA1
75a98df05ad1546dd042d75e65a54f38f1dd27e2

SHA256
aa8b97f3d79a8dca7169906ba30ba55cd6d29a311bec3e6eb27225788548414c

SHA512
0df973bd0e8b176c6a07872ee9f4c76f1fa854f714bde42cfe1ecffbac00e28ccfbf595b33de08d8a3e44ffe5da70ae8c000913a3940d196740f0431f71fcc5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\63cbc1d3-43d7-4198-98d7-c9ec025c4743.tmp

Filesize
11KB

MD5
8bb3f5e8a1ba0d48f922f93a4bc97ed7

SHA1
3e65e0c35e88ad927cf85c64d75f0da4c855b786

SHA256
254d7bf7ce11f82def7025340462d2e1d893b4a8ecf8cbd96d2d04465eb39b81

SHA512
bd02b1dda697416f5ae92c1c20ecb3d761c633f7c4e2ce27f3eaaec5b67efb115a252c8802d567c81fa8a57bf658c68b6da84b7c65851529617c2bd83870af21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
58d1cd1235a33bf454897785ea664fdc

SHA1
35018f1f9dd4ca48d08c7639cbf2d47e7ca42e78

SHA256
5d373f8837521159993b56a1c51229505857e44f2db2d66540b388a516b7bce5

SHA512
7c3c5c34942fe7feabaf2d404fbebbf3cbb225ff6c98718c54d9012cd0e25ca73ce88e83ef06e8ab3fe021ffb6d1ae967944476f2a7a2cb67fdddb15227a06d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
72KB

MD5
dbbff6f4adbb2716977f84db049e50b7

SHA1
a645e2dbab0cb70e0c14f04c85c5e89f4b814c5f

SHA256
2d2d525301b8fd28b01b857a782b3b13587cb028f0f5f00e24e285a97fbb01ad

SHA512
c63af3f49a4828feda6f55a5a6635b01626b7d0b96a2234d94392a936231c1e21ed30e7ef5ecb836e69239c245b4884277e11a02dfde13c191a371fe2a41ec1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
411KB

MD5
4eaa01afa8fdc89b3a3992b72c2bb6c3

SHA1
997111665d39594e344c5c76eb3edb4f1ab60e02

SHA256
efb87affe7c7ae1a3cef5a0e3d76bd3227844bf350d13d365f35a30c6fe06c27

SHA512
3dd6dca4a68700486cdd7b2e413603d83b38b3680d2905174eacf4b7a4ae28cf6bd446a486f6f6c9772c5552218b0b73282e981c1cad467087e9849888fbee26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
107KB

MD5
750b4ea9c45ef6fd711e5d8eec659b50

SHA1
047b818d26170803507cdbe02a7af06434d8f3f6

SHA256
d62072e473e76f9261e438b39099116b3acf79abe532b0de747619027b3684d7

SHA512
d2c73b2d3862c93fb0f538646a5216eb73866015223e76c37349a85340ab89fa674518fd304a29822513190156f23ea01ef14825598e5637328093b4c57d3b21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
90a4bc9168ba0d7efe0d8dbaca32e1ae

SHA1
088ae05424aef0fefb71d3349b7a23377705138b

SHA256
e6f8cf735a62c8c5d1d854bd88ca1603f8a057f9747d2a561fb280fb7b168cd7

SHA512
90de16afff50789d42ebb6282eee497a5e7f43fc73e5cbe67ec663d20e6098860365d89fc817615cbedca40e1339d50a38078148eb0cd21b6cc79c404c02edd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
930cee73ccd6c59a59db5ff1484cf515

SHA1
c86105740871043b239ee17edc9c7853f35a7fc8

SHA256
3360782fd477bb42b8d7590e4d3a22e15678791696e08c96e14661717a8d007d

SHA512
ff30425c8b89e6d6ccbe3920ccb39bfd90d38e30757297198b06f7e828f70907f15fb20b2b50e49967091be6a70e3cf0a17297bbccc8c3e37a3051d7b1b55b32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b5371c49eb2b71656e44f8186c65df32

SHA1
09cc4345582b9707fb8350356901e41cb4c0e143

SHA256
48c2f6681e54863f11989a8c84e0d2d5667d9aced34d6066ce82d7c9ab7f4de2

SHA512
cb756c73c8b1a4849ec8a733e3ff7d77635c3943a52ff184dff74d8645b314f6cf20422a7f6784e95104d5d8f8a6b35cee6381ff74d0d488f259ca568347fd90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a2e2f64f5c5232daea9116e8f634c264

SHA1
08f402db68d33d5e73d284ff9b7e542f552c0adc

SHA256
386aac7cbc86bc022ccf60d5195e1f7a95ed46ad9bd55d4a92e94bd61f88cd47

SHA512
fe53d14539e8259e806332c2e1aa6ecfae4d78eb86cb9130653152f73013a2971c311179303ed0c52ce7734fab37598a66d212ba4dd832f755fe83b0d160bd8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
7e9cbaa2b2d9e390c9c8ac5f267c60df

SHA1
810faf50b2a11f916c3aad8e687adc36ba280780

SHA256
665278b306e66b9b09a9601ee32fff80f5b73e60be6aac16f63d81f28f327ca6

SHA512
f107d626718d46f305735ed3485cfc340a3ed081ada1c835d71d57f10c625f4b0fdd39c8a08c533cf7dba0c42db3d9885649b42b10fe3f7129fbbbf17de97609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
d2ef6c9a02012b146f0732f508626aff

SHA1
1cd5f8e6e743b38465066a10871ee93bf7e0e1f5

SHA256
d9a5c81e92d1f1dfef1f2516d1fc20433d53f048ce7d49794292afc33e3ce003

SHA512
66f7a294ecbc5a1c62842c02be4cd36e9a0d7e758396638f300a3b0dc8080ac5d31438a4b8b81fea291f8f7095141df732d65ee0b4526f30d57c864def38ab26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b2d3ebfc913c74c4e2a0a19a0c17049f

SHA1
832bf3dc01503f768432cdd51ba1d9adc2b461e6

SHA256
81b16f02fe84d22b0ddeb8dcb5c1deae81efa8723e1ae342de5b7da461a897fa

SHA512
44d19b02de0d16e87cef92ce9faa6d726526d81b75984e7f44254a6fe37fbf7cddfb75e6db2cfd0735720df381478e1136c373779724d1b7c2630eb3d69cc6fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
358c953214bc97532163591006f5a18a

SHA1
912ab6a1ec99f3e89e13230bf9f70217411dbe28

SHA256
6fa955ea0d67a578f32c45190fc874c20795d1a5f0b8a27889d447868a3802eb

SHA512
a5d68f1d506733c5281e8e648864236b9fa5fc91278f77b3dfc39897710e471ae2372e86eb6a611b3ea6cd5d48400abfd71710852890a8c9df07ced5e298c248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
0e5c487beb3ae373439c377d170dfae4

SHA1
9240a629ee5393eb7ec468a3a96f524b058a48c0

SHA256
20e314072ca3837a8a2a215746164aeb5281aa15be5ae37bb8889e38d8153287

SHA512
da0f04c74e8e9fbacef5a717ad7fb8d729e04b1e8d0c6e4ac840ac9e24354a5181debba754731ec30bdddef7e416200094541c90f724aed7d33fe348bb4c3f8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
290706603846ebc94f20ed09ce589b47

SHA1
11fb83514dbaebfb62e062f8b444c5e365e2d180

SHA256
1f118c9a52abf9183d0187e58dfbd2292a2896f52c33736ec036503eb68c0b66

SHA512
8f41dc6f33baec5be9c4f3a931246249241eaa08729bbbc29555918473a727df569928dc89aac751c2cf27a203b1612e2964b43eae5ce31b5ff13b00836ac143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
81c181f5efbea64bcc36e98db0da97e3

SHA1
4c7049f70dca2bf80ac20dcf9dc866383866e968

SHA256
86c14b79ff4215b4df2137f8d99a07f61cec15f008f982c16aeac93b0c161564

SHA512
93e144c69d3e08fbf66667564df422ed00fe0cf09979ec27dc4ae7d06b8b13b51325004138085605b766f73f4b40076c521daca6ed567ed927a086875db92183

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a5124618b4050c7c675af6cb94db7931

SHA1
cfd7d71702a2375f9add6994c2033417f22eda86

SHA256
809a62589c1406e9197f7448ecb15095ed8144bf15caeb1251a8891ddda7a2e7

SHA512
473f59d263903635fd9424f1377e1253c0c8f21456c9a2e96360bbcee6baa59270f7d7cb4a588335f7aee5e2abbb17bca84f19984fb8cc55fba1efe104a67e71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f48dfff9b97b3dc0f12c78a63fb3a491

SHA1
51401918417e721426faece1effa025b57045e40

SHA256
2e7e0bd5e09ea4445c4f500382a76a1a2dabb9db340872ba3a90c30fe17c51da

SHA512
2e526f6daf002d5537dec2ee2568f839e97ccd61e23137aa2a5cb51665d48ad72f6a2392738ddec178e8cb7d6fa42717d3ec2e74639e5cd0a6e36b38622b581b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
53ee2c57d222a8c51adb7f888de58658

SHA1
f3f8673725173c678227494d2a341210cac4533b

SHA256
46380fcefd54a318e4f13c34fb8f406215c3dd6f4d86dfe1b04bcf5900da0b87

SHA512
2efc43695b05a287fe98de2b2e6ac5846da53df8e0cea328a8a99de4b11e11e2671a16acc7b79a4cc17f3563ad8858b911c9ed893b8330aff58c4d747a088a84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ceba56a488e220919ccbde649a086840

SHA1
b6412700dac1c3cfa3bec56bb1bc1e38c83412c8

SHA256
f9334033e6d6d6b3374ebac7f8b3ffbec21b7a4e90f7cf497e78fbe65c01f010

SHA512
7fea958872b0221675f576326edec328501904a751704ad39ce664cdc2b3ef3fe7a3f89714c3cf403321bccf73bcafd0d9e718f3fcbb00e8c48cb89b0d5d10f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
16dd645a9da05e4e7a2ec7bb8525af59

SHA1
b1f6fc27e38618e6fc8aeba4c9fff66025d8c1bd

SHA256
0f3dad08166cac839f9b115e775fecf4d27a6f7c81aa1208e0173ae0409ff57e

SHA512
e77acbfe2200c22e00a5f39d2761a94bad51ccb7c6f9465f0fbb8570df4c751b6310fcf9967f138a840014dee611500cf070d3204324b51c53ad2fe9604683df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f26207dab5731f2c0c934bc6f56bd69c

SHA1
608bfe094c912b5ccddb4f2949a497ac7e923cee

SHA256
da9dce4d2613b4883917e83d7cf405c892d868e842355412dadae659e4ef947f

SHA512
52f3359b2b70c1a9d8222f85f8dd1f50de518bfac649644d3a66a935428ec1d566271e6c0c67a4cf48bba654d414919b9dc1d12e0e454df9d996634586852580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
939ab56f18c2269eb68af946086d5f32

SHA1
b8a62255fb08f74380a071e1cc11aaf5ca408f20

SHA256
8a7748f6a0b01aa713b0c330a300672b10807b6fc254d0cc08d71360ed44f6a9

SHA512
4988461dec4ac300bed2714b98f64497b348a919d0b2cbb0435136a1559854155a1cd35b260b70c1add679a383d5e3ea39b5da2274a0025c3bd274a92ce66047

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
379c2b8ce38be5cb874dac9332ab18bc

SHA1
86e0f0617932b59630a3d1f96793c59b4464ff3d

SHA256
284f6afaee0a067deb51455aa0ef3186a6c4f7d3034756589d5fc42ebcd7ab27

SHA512
2d2173852f89c4ff02736b816fe6ba069b4dd94d95dafffbf7426c2ba007fd1fdda5616a139d3a50ed2099188ee5446de7f935479e051d221ae2c17f6540c66e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
898f3cbe297707537d4c3494ddbb05ec

SHA1
41ba04574057fd25aa559e8244cc5dbf3cf649bb

SHA256
0c2088acb78fdabc6c6576922f74395d4c522e579a4428a6ce0f912719aaee23

SHA512
2f9882c17eebb34dcd0c6f204f9cadd8c1a441d1197100627741e910688b5cbf6db1ed19c67170ca53b7207d8d1fe3430a0e3e1979eb0dce7cb7a9191271788e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
02a9333af66ba936576bf94c6c81e3b1

SHA1
aaf3bf2f7a3fbc89d8e6862e02b8d3b95ede2b69

SHA256
668fb3a12ec57cfdc8bc7ad4394c912a6b8db48fa5aedb54a4c6f8cc4a85da95

SHA512
53135ace3e651638afd2e41d7f238a8c37dd423f8abc9b6635bd33ad1396ecbbbbbbb8fc49908f4e5c6f1fc383ff4472e108cf974afadb05ce80807851b1c8b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d70805614a567baf2e0a533c8909be13

SHA1
a87babf8183fcaae3259e009f588c79cf7132426

SHA256
00cb03511471e92e35ddb8c351e1a4b1e3d35b9086f02f03e24ed3de7dd2ea07

SHA512
69845f4bf467600b594402ed9809cad5c023adc04b2f65f85212b88f1ba04205784132f2c5fcc70f48bfeebe20ed199330188cf09412c12d2d8659c3cce21b2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1089bd3dd36f76d34d61e8be9e057997

SHA1
83c91aa193228baeecd2f048e9bf672dffd2f913

SHA256
cbfdd5c39cbf2ef5f1077a6912df1e757b7782ffd2890adf143e3dcdf46f7b43

SHA512
9a463220e79f68483145756c038dca55de2a9806599f1ea3d21e9a4ecec8eb41b4cc8b4169c17de186ae07888f141a7f5f9ffe8e4e5e22c63e2f49d57a543319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e5f38077c9f7068216e786d22a47b2cc

SHA1
6e9a823588b3d5f001690055a6d9f19199c9aeac

SHA256
0882da2d638e67278ba737bf0068b193ae165ba6c7a7b48d7044306ca8db2c3f

SHA512
f363b8607a0282e9133e08f44d548e83606c40c9a8229fdbb0762f0df10f83f1c5bc8306e7917b58668cb3ed883014daf39d7f9dd6f5b4d76ab2513cd12b811e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
377215e1bf0b234d2dca6016c1912ebf

SHA1
d71406b229cf1035099ab6e6fd33a1eb62bd5068

SHA256
c01829c2f3c3072c4e694ec5e00060c883a2aaee988846722374d805e7704fee

SHA512
fd57efa6858677e7ff10d7a1f0cfe88b40dbde6ced97ad947fc03b8a0b67b800408c128fa2084a3d40ddd010adaa440fa5228ea9b7b20599209da18a491a10b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7e7ef86997d6e85028d767201a6a00ce

SHA1
07ca06c01927717a927ad48ae48018b6276c8839

SHA256
476d90935b684a7ff795aab7dc3d0d1d6061904f677bdba6ba9970578217fe11

SHA512
e86ced2d373b84b59f4826ff4c8ae8facfb6882910a8272842de758520ebc6fe431dd60d86f92acad786548a7f9f04e57604bf95b0c33263c9be32a5b37465cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a637638edcaeb571f5e6f7969c2ba977

SHA1
d6d86363aa82c1d4aaa2b54da616c6a91d2404eb

SHA256
05a9de0aba6e8e562fbda36339775c6d71db232d9b7043ac86bbdd92d4d6683e

SHA512
632ce418ed2e45ccdb6a625c035a386d19152cbdde7da9c2577f56b6d902db12949df1d44d430050ff6725b2db994e80c17c68d5377acd8fe24a9fe26fd7b1d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2ab1a38a1cc4f86110af04386520bea

SHA1
fcf6d51d77c13615c556d5250f3961c5af6c31cb

SHA256
fbe56335d37e30dfe815e3d32c29c66abed3bf2cc70b6151d28d16e0dd24ca22

SHA512
597e6b47ab8b49c56c2b948babd5cac33aa108f884c8376b7315b103e1e8d659cb3c651da481e1899784caee4cdbcd597d470f819f6cec4a67e9542357f0a2e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b3118f2aeb4cfafe8fdc4fac0f4c01cf

SHA1
9223a1c337105cc65ea66c47c834cc1dee8eafa7

SHA256
76b85277ba279f31f4180416f4b02b77d55b2551f56043acfe0d2b051f7e3b86

SHA512
394af7cee900e086ee65cb8b02e242290a5c3ae0530287390349fe5fa68c39a836cef40f348ddadff1016caa963d0242aa83dd20bbc58c59cd8f483656ce6c3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8c4f70ab3a58eadc750b036205b82d68

SHA1
d2ca79d7c4f3c25e5f729146309502ca459befbd

SHA256
addb0b4e2eb2c3d0d375d5fab123376dbc3a02e07871c6579075100ed541450d

SHA512
704e73a13c8547241124fdf1bf978f872456f2f4088440f62deb28bfaebc0ed26696d2259ee8052bbe5f53925be198aa8119e78e70b7692543140f8ecd604412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
563b7cdefd72803f4fc85bb863571bbd

SHA1
b6689ecd4688a0d536e441179ce0196ad1a8cd8a

SHA256
927568a6db34da8ec7136d5a11e1118b0a19f12eeb026026e53816485f963e79

SHA512
9c04b9c87b62d49e7fa5281f20231ebfcdd917eba0e0d9272cfa8df2541c08e3a3490e34cdbcec253cdedd10bc9f642422560bd731c3a1450a29a76cb1444ec1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e4f3691a4837d2f8dd1d3cd702624c69

SHA1
c912ea34d3d1c68a4811b5d7bd65e61bdcb3971b

SHA256
ef127ed0e1e19a52ba6e9d52cc1bc756c9d8de590836b82e552873f6396786e9

SHA512
7a71e4afa09c584f17206bb82f42f6d42f6b975884715377bd4a653b8ef771e5d28b46f649c6f6aaf50e1e226a3666ceea9cfe3191e4e9ee75e4deb3d73898bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
96c2f7ec5b276e345d33eb51926588d3

SHA1
960c40b55080c349e3aff978d46212085c7b4753

SHA256
8563c852cd6ddb87c337d60dc0081a95c392da83a954b84206913c30a702e99f

SHA512
dc0cd61c113c3762c09f05a17d5b7f3e5fc22227582b69ac6e5e5d9b1b166a2feaf05cfdb77b2294c05e145395aac0d408769bb8a112091a5d667ae6ff290290

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8cf4caeca78f05edf972f7cd6d6546f8

SHA1
df4e876e49c55063bf116314e8aba9a5631bbffb

SHA256
f61912aa8c163fe8b9706b5fd772abeed6a84b5d47fce8dff94888f63f42426a

SHA512
a94a5fe911dfdeab1e65f43732b0a061dc315f109778c2f153fb05e9d58445e03b25bdd0eeb28bd2239fc734187d82a32b7877d43ead1be6f03d169c7799db58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
74ae0e2405b16c940bdc9aa6bac6321b

SHA1
efe86cc05935cdb6235592c547441c92ab28ed1b

SHA256
c0b5b6bc1dcb739e34e68cc9bd81ea64196a2a6e3210f20c08416a68fc72fed6

SHA512
bb6e16233c04d24d695ba3199a24009af2c1bd4a7b8109965ad14b3cdd29450b3fcd1743c10db9a80b71252854a5ff3260e1985013a41bd8085d7982ca8029da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8199e78e6454f5d9ea79b7e2d66dc105

SHA1
445183ea4e8fdb35a21c073eca831300fb03e421

SHA256
f4d3e2aec3fb5a34be22bf2e099a436761e112e1f95927cbb3bf2a6b18c2b950

SHA512
08eef3e358242b7ce37c7dbb66b2798f5d6584f31661fd799d987220d5d4d31c62eca318a977dc01e3673f6570920baeceea6a7c673a7b2c6ae7acbf5f0341c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
61397fd059724ac6a5c26cc00c107d30

SHA1
a2fa22c363446a0e2b9ce4f8ab7e8e8fab3eb239

SHA256
86c3d52e13b1ef3df736792ed4adcfa5e2dccaf67ad7464aaa370b55ce88e1ae

SHA512
85cb05b8b6826d5e1755a7737e637d9aa4ef2750f4dd0b71965c3f8786a2584b4f29e96fb83cc32f86f581fc01af9072a16fc8d82c6ea982c1a8fcaf5243d49a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
67785b5c728c4b405df8878838c1d344

SHA1
c71800184864c8dabd546a9a1661a3bd0eaedf62

SHA256
56d33e06bba64240081518bc615cf4a894bf5c60c90e3d8910b3e560070acb83

SHA512
9ff80b3388a2944c31d4729eecfcff88515257c42ecae11ea5ba2da8ca1bc98ca8e01263a1ad7d4a96396fca1bc813062d4dab8c5c38913b38809d0ee5239420

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b07d37c17cdaad9881eba04629478bef

SHA1
40943b06951dc30de8b26807a5c24a8c341091d2

SHA256
30f582e86147b07807737bd96032050e87ace3b27e1de58a5805cffeba8235b9

SHA512
71e3c5e5c5ec8c195ec21f0fead0d34bc336d8afcb1d1fb38fd884254ca9185e2f8e2658ef86fd2330e1667ab219d98da5d81ffa2a8126e9f69613e1c1107783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
505869fc99829998acbc4a0bc015124e

SHA1
78d1bc0017442179c7d9ca0a313a680197d09b30

SHA256
93c7644da39a44c6b3f9378c49e06e412f3cc53776329d83f81bf6063cb4faf3

SHA512
e5451e277487e64a4742c11c2387840602fb5aff7a80090af8acc53b97603ea34458072e3ec6fe3a66beab0056c8f83d02f898a17525d549da6bccdbe455da10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
787826aefc20e2efcda74fe988488ed2

SHA1
da42061f4ebc67cab77a1c9bcd723fd573ad4c83

SHA256
bcbbf37a2ef71a70aeaa6800e490b2331a716ca374a01c268b8022feace20a09

SHA512
6321cc3ff0a0ab02315766e16bd6895c4d762da5ccdc166c662f32dbbea48425355c3dc72932cf0b0f2c79f8bcda72814afe8687940c63a8e158c08f69b63946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9a9e3bdb942bec958ca6b1ff6af86be2

SHA1
addbb48bfa95630ffacef0fae9735334a76bc994

SHA256
adb9b3b51f09e0c3642cb8604ea9b428276e482daa14cae664033e8f20fe8189

SHA512
53bd0fdf42af4d78eef9c9cd02733c275eea80f3b3fccc7e9da5d150a583a18ce14eb0ea1f7fdb87ebd5e8b7babe3092e6da5cba05747449953e90493613f691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cfda69db2f590c148d2db0f40309e661

SHA1
4cdc82a1a39b43b7528a2fc4689ae9fcbf58709e

SHA256
1ea5013f4f3c3c10b076b41c7c57ea941987db3846682c15d86e1ec74efc61d1

SHA512
164b7a9523110fc3c224b62a8823791805512e039c0e812bc588cc4bdab7196dfe5c9a54deb560e0c815d8636c0b6f52e6810c92f64756d50bb9742072d8430a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d108f6bb8d1f3391d1de167385916de5

SHA1
36d7a29823a69d1b46a91b3921539e18b1df2e5e

SHA256
c3d6f7d047303e056eec01bde8c02d1d33f79c6002797178c0acffaac4608598

SHA512
a0121ac8839346d50f932097b60d9e78e6a353eacd9d819dccb5524f8d3bd9bb42480cd559b0198c6e1db0ca9a38e64336dac0115710a4fb2e5da51807d7ae30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8c76a6abda4efabb7222ba1257ca0c1a

SHA1
2b05a3148adeb8dac7006eb83c2788fbeb948ca1

SHA256
05331cb172cf119bb5cae6c3ff6b224d308a866c947ff3c03d63fb8d0fdde041

SHA512
f2346372326991ca17edec363e862c880346a02d697a7e90880d99971025510fc211f6aa2225825873a0869c8b8032369d885078f50121888b72e40b979fe7a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
18c14b950ae0f988187812f2555761f9

SHA1
5ad914f7e152d7af7f18a9414ce83c9bf0679863

SHA256
c77f6766a7a7cd89e43faf2cae95dbe6c89c3cd4d32dabd1e84caea52c104349

SHA512
98ec090a2e57edc8820d0a172a507ddf0fa1e0e42984e543b5ad9f56224ea27457974814d0341e53b4b8c86c2479b987009fdde664b4198dea56ca3e231cc6a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
ed12a423ddea0daa095a8b9a1904be4a

SHA1
dfbeceb985c21eecee720c17b5359080c5050477

SHA256
33adab9813ab9235aac4d0253e6a9601677c17ad13514e8d44fb0fc67d1db7e1

SHA512
881dce4832cfd1ede888263297c78c9dcefa6ce8f7a900be4d8818272f4f83d375444f910accf648789baed967d745ddb1ffba479aee6a701065ee3b79b85863

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF8F6.tmp

Filesize
144KB

MD5
7fa9d662d634534d7c2240dd126bdeee

SHA1
bd01e22ed2da0d0d485824b372ac67da683863d2

SHA256
c0e8683b697b3c6e55deb4497d3434d6e2cc841eb8c9a1b7d3f8907cff7de206

SHA512
cbc737e3eb94151c9dacaa5ee780cb550176ca2be2e0c66925884b5bc6222b7bcde5ed66e881f2a76f3d26edf5331abf0e74c819ad4f5fd7d0819bc4c138bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFA10.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qj02fxa0.hyx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2176_896504174\6583d638-e567-4f83-9eea-cd4c5e24a282.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2176_896504174\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\10\f7\3e71f2fc739b11672d3eb0f9250e02d0fd04d730594886db47351df9e16f

Filesize
690B

MD5
a041365ef916c1cd653ccc7757db2976

SHA1
36742bd6e6eb73bca55508ddd8dc303a00389926

SHA256
56d859fabe3edbd27ffd20dce1fdaba50a2f7fc16060fcc611260eb2f9a00acb

SHA512
56c2b9399a19da707d8a982e28f985deb45b5040d58fd4e5f913ab679b95ccad20dc30a85fee6bd7bd3351563ab770e1685a15b1def83fb51831ac85b8dd88e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\node-v22.11.0-x64.msi

Filesize
28.9MB

MD5
fa9e1f3064a66913362e9bff7097cef5

SHA1
b34f1f9a9f6242c54486a4bc453a9336840b4425

SHA256
9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

SHA512
ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f

Download Submit
C:\Users\Admin\node_modules\.package-lock.json

Filesize
366B

MD5
05bb839c0e547ec38ecf4286d8828adb

SHA1
5e755c665fbedecd8b1f35363182507417faf992

SHA256
02c0629211768c2c93e7d5f69f86a3264478fbd8d50fb2a1f05681c53eb8da01

SHA512
fb0c18f2761bbfd10974f1ea56cbaf6478d881ba3c031c7ad3767ed035c07f3ac384e9cbd00c18a1421aff75be8f91f7f92062f9a18f2d6a38df48c1f4ea21dc

Download Submit
C:\Users\Admin\package-lock.json

Filesize
443B

MD5
aefcc26d07c2c0f032c7a535466783dc

SHA1
5925fbbff6fee9ff213d019512723988ddb3c876

SHA256
ac6092c34f558da21276c83cc6404e9e0263dc39a709b3b7b33ec2fbb690ccae

SHA512
b64cf222b2492b4b2d2a87d6c52ccf73982650c84ce3c99ae393898d102dbb949752820009147550f413fcbe0d5877708234a284d5c79aba09ae1657f25f4e7c

Download Submit
C:\Windows\Installer\MSIB3C0.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
e69700a1be658efc640485cd1c86524d

SHA1
5db22dc97caf0b6fc33e8a0f7070c1dfbf0e69a5

SHA256
3216ac1f48368f9f5fe048418e1139b24167071313233de9b9dd3489293389a5

SHA512
b1c8513fe4d91e1d250f4d66520de412cd1b8c7263b50c63b8fd91135f8130f973e0d6591c9613a7494f706690d1b854abe289de6c3c3a4a2887739de55183b5

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{42c3b256-7823-405f-b322-e10d9012f627}_OnDiskSnapshotProp

Filesize
6KB

MD5
23f0c7b249596b903ded6b34a2297ba6

SHA1
e5a07bd92917f57c9a6aaf88feb636549fe231ab

SHA256
67e9434e63c7736ce2676ccc450adcc7a38037940ac5269281f3ee0c38f360b1

SHA512
a0cfca8ef51eef4284fdd00c50b183ad58c0c75b1df91564dd854e130d7e189ada5fcacc06219bbb8fc89feaee10372a2bacfc27b57ad781c79c056ffb0109d4

Download Submit
memory/2516-3849-0x0000000000C80000-0x0000000000C94000-memory.dmp

Filesize
80KB

Download
memory/2516-3877-0x000000001C770000-0x000000001C77C000-memory.dmp

Filesize
48KB

Download
memory/3596-3751-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/3596-3748-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/3596-3749-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/3596-3750-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/3596-3745-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/3596-3747-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/3596-3739-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/3596-3740-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/3596-3746-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/3596-3741-0x00000296203D0000-0x00000296203D1000-memory.dmp

Filesize
4KB

Download
memory/5772-3841-0x00000274F7820000-0x00000274F7842000-memory.dmp

Filesize
136KB

Download