8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
183s
max time network
184s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13/11/2024, 22:55 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.23.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	Solara.exe

Loads dropped DLL 11 IoCs

pid	Process
4188	MsiExec.exe
4188	MsiExec.exe
1228	MsiExec.exe
1228	MsiExec.exe
1228	MsiExec.exe
1228	MsiExec.exe
1228	MsiExec.exe
4652	MsiExec.exe
4652	MsiExec.exe
4652	MsiExec.exe
4188	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	3128	msiexec.exe
10	3128	msiexec.exe
11	3128	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
14	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\realpath.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpack\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\listeners.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fs.realpath\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\verify.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\get-identity.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-collect\node_modules\minipass\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\clean.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\columnify\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\base64-js\base64js.min.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-lambda\test.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\gather-dep-set.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\cache\entry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\open-url-prompt.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\parse.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\lib\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrappy\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff\index.tests.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\has-flag\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-retry\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\set-interval.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-diff.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\override-set.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\delegates\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\delegates\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-bugs.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\vendor\QRCode\QR8bitByte.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\content\write.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man5\npm-shrinkwrap-json.5	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\jsonparse\examples\twitterfeed.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\sigstore.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-diff.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\node-gyp\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-retry\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\unpublish.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\client\error.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\tools\Xcode\Specifications\gyp.xclangspec	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\event-target-shim\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\otplease.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-pack.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\ninja_test.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\lib\_stream_passthrough.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clean-stack\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\colors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\utils\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-hook.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\dist\parse-proxy-response.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\http-proxy-agent\dist\agent.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\sbcs-data-generated.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\developers.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\lib\cache\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-collect\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\stop.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff-apply\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\base.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm.html	msiexec.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57a846.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF8A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF8B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD79.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFEB.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB75.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Installer\e57a846.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCEFCEE2B6E8F7C4C.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA7A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a84a.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4E154786A3C4A4DC.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF54710BC1C5D97392.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF1C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFACD3D6C3017993C7.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB682.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB79C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB95.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4832	ipconfig.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133760121843608675"	chrome.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3584	BootstrapperV1.23.exe
3584	BootstrapperV1.23.exe
3128	msiexec.exe
3128	msiexec.exe
2676	Solara.exe
3496	chrome.exe
3496	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe
3524	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe
Token: 35	1468	WMIC.exe
Token: 36	1468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe
Token: 35	1468	WMIC.exe
Token: 36	1468	WMIC.exe
Token: SeDebugPrivilege	3584	BootstrapperV1.23.exe
Token: SeShutdownPrivilege	256	msiexec.exe
Token: SeIncreaseQuotaPrivilege	256	msiexec.exe
Token: SeSecurityPrivilege	3128	msiexec.exe
Token: SeCreateTokenPrivilege	256	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	256	msiexec.exe
Token: SeLockMemoryPrivilege	256	msiexec.exe
Token: SeIncreaseQuotaPrivilege	256	msiexec.exe
Token: SeMachineAccountPrivilege	256	msiexec.exe
Token: SeTcbPrivilege	256	msiexec.exe
Token: SeSecurityPrivilege	256	msiexec.exe
Token: SeTakeOwnershipPrivilege	256	msiexec.exe
Token: SeLoadDriverPrivilege	256	msiexec.exe
Token: SeSystemProfilePrivilege	256	msiexec.exe
Token: SeSystemtimePrivilege	256	msiexec.exe
Token: SeProfSingleProcessPrivilege	256	msiexec.exe
Token: SeIncBasePriorityPrivilege	256	msiexec.exe
Token: SeCreatePagefilePrivilege	256	msiexec.exe
Token: SeCreatePermanentPrivilege	256	msiexec.exe
Token: SeBackupPrivilege	256	msiexec.exe
Token: SeRestorePrivilege	256	msiexec.exe
Token: SeShutdownPrivilege	256	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe
3496	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 5040	3584	BootstrapperV1.23.exe	81
PID 3584 wrote to memory of 5040	3584	BootstrapperV1.23.exe	81
PID 5040 wrote to memory of 4832	5040	cmd.exe	83
PID 5040 wrote to memory of 4832	5040	cmd.exe	83
PID 3584 wrote to memory of 2992	3584	BootstrapperV1.23.exe	84
PID 3584 wrote to memory of 2992	3584	BootstrapperV1.23.exe	84
PID 2992 wrote to memory of 1468	2992	cmd.exe	86
PID 2992 wrote to memory of 1468	2992	cmd.exe	86
PID 3584 wrote to memory of 256	3584	BootstrapperV1.23.exe	88
PID 3584 wrote to memory of 256	3584	BootstrapperV1.23.exe	88
PID 3128 wrote to memory of 4188	3128	msiexec.exe	92
PID 3128 wrote to memory of 4188	3128	msiexec.exe	92
PID 3128 wrote to memory of 1228	3128	msiexec.exe	93
PID 3128 wrote to memory of 1228	3128	msiexec.exe	93
PID 3128 wrote to memory of 1228	3128	msiexec.exe	93
PID 3128 wrote to memory of 4652	3128	msiexec.exe	94
PID 3128 wrote to memory of 4652	3128	msiexec.exe	94
PID 3128 wrote to memory of 4652	3128	msiexec.exe	94
PID 4652 wrote to memory of 1440	4652	MsiExec.exe	95
PID 4652 wrote to memory of 1440	4652	MsiExec.exe	95
PID 4652 wrote to memory of 1440	4652	MsiExec.exe	95
PID 1440 wrote to memory of 708	1440	wevtutil.exe	97
PID 1440 wrote to memory of 708	1440	wevtutil.exe	97
PID 3584 wrote to memory of 2676	3584	BootstrapperV1.23.exe	99
PID 3584 wrote to memory of 2676	3584	BootstrapperV1.23.exe	99
PID 3496 wrote to memory of 3300	3496	chrome.exe	106
PID 3496 wrote to memory of 3300	3496	chrome.exe	106
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 672	3496	chrome.exe	107
PID 3496 wrote to memory of 4348	3496	chrome.exe	108
PID 3496 wrote to memory of 4348	3496	chrome.exe	108
PID 3496 wrote to memory of 1564	3496	chrome.exe	109
PID 3496 wrote to memory of 1564	3496	chrome.exe	109
PID 3496 wrote to memory of 1564	3496	chrome.exe	109
PID 3496 wrote to memory of 1564	3496	chrome.exe	109
PID 3496 wrote to memory of 1564	3496	chrome.exe	109

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4832
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:256
- C:\ProgramData\Solara\Solara.exe
  "C:\ProgramData\Solara\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DC9BC4CE38A277BFD9C619A7DB6BDDA8
  2⤵
  - Loads dropped DLL
  PID:4188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6AC09A28AE64F0C446766C66D6AA2C90
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1228
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DE18C8A440455A68D1B3B78B0AD0A9EE E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb797acc40,0x7ffb797acc4c,0x7ffb797acc58
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2216,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4680,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:2
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5132,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4432,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3412,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5160,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4360,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5244,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3448,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5364,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5304,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5424,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4352,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5108,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=4248,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=3092,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=3356,i,8519203329928099400,866137627708543519,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1172

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2700

Network

DNS

getsolara.dev

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

getsolara.dev

IN A

Response

getsolara.dev

IN A

104.21.93.27

getsolara.dev

IN A

172.67.203.125
DNS

27.93.21.104.in-addr.arpa

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

27.93.21.104.in-addr.arpa

IN PTR

Response
DNS

clientsettings.roblox.com

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

clientsettings.roblox.com

IN A

Response

clientsettings.roblox.com

IN CNAME

titanium.roblox.com

titanium.roblox.com

IN CNAME

edge-term4.roblox.com

edge-term4.roblox.com

IN CNAME

edge-term4-lhr2.roblox.com

edge-term4-lhr2.roblox.com

IN A

128.116.119.4
DNS

4.119.116.128.in-addr.arpa

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

4.119.116.128.in-addr.arpa

IN PTR

Response
DNS

www.nodejs.org

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

www.nodejs.org

IN A

Response

www.nodejs.org

IN A

104.20.23.46

www.nodejs.org

IN A

104.20.22.46
DNS

nodejs.org

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

nodejs.org

IN A

Response

nodejs.org

IN A

104.20.23.46

nodejs.org

IN A

104.20.22.46
DNS

46.23.20.104.in-addr.arpa

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

46.23.20.104.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.214.172

bg.microsoft.map.fastly.net

IN A

199.232.210.172
DNS

ocsp.digicert.com

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

crt.usertrust.com

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

crt.usertrust.com

IN A

Response

crt.usertrust.com

IN CNAME

crt.comodoca.com

crt.comodoca.com

IN CNAME

crt.comodoca.com.cdn.cloudflare.net

crt.comodoca.com.cdn.cloudflare.net

IN A

172.64.149.23

crt.comodoca.com.cdn.cloudflare.net

IN A

104.18.38.233
DNS

172.214.232.199.in-addr.arpa

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

4d38a1ec.solaraweb-alj.pages.dev

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

4d38a1ec.solaraweb-alj.pages.dev

IN A

Response

4d38a1ec.solaraweb-alj.pages.dev

IN A

172.66.47.197

4d38a1ec.solaraweb-alj.pages.dev

IN A

172.66.44.59
DNS

pastebin.com

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.19.24

pastebin.com

IN A

104.20.4.235

pastebin.com

IN A

104.20.3.235
DNS

clientservices.googleapis.com

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

clientservices.googleapis.com

IN A

Response

clientservices.googleapis.com

IN A

142.250.179.227
DNS

www.google.com

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.16.228
DNS

227.179.250.142.in-addr.arpa

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

227.179.250.142.in-addr.arpa

IN PTR

Response

227.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f31e100net
DNS

225.16.217.172.in-addr.arpa

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

225.16.217.172.in-addr.arpa

IN PTR

Response

225.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f11e100net

225.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f1�H
DNS

self.events.data.microsoft.com

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdcus19.centralus.cloudapp.azure.com

onedscolprdcus19.centralus.cloudapp.azure.com

IN A

52.182.143.214
DNS

8.8.8.8.in-addr.arpa

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

f29cc861.solaraweb-aji.pages.dev

BootstrapperV1.23.exe

Remote address:

1.1.1.1:53

Request

f29cc861.solaraweb-aji.pages.dev

IN A

Response
DNS

23.149.64.172.in-addr.arpa

Remote address:

1.1.1.1:53

Request

23.149.64.172.in-addr.arpa

IN PTR

Response
DNS

197.47.66.172.in-addr.arpa

Remote address:

1.1.1.1:53

Request

197.47.66.172.in-addr.arpa

IN PTR

Response
DNS

24.19.67.172.in-addr.arpa

Remote address:

1.1.1.1:53

Request

24.19.67.172.in-addr.arpa

IN PTR

Response
DNS

www.googleapis.com

Remote address:

1.1.1.1:53

Request

www.googleapis.com

IN A

Response

www.googleapis.com

IN A

216.58.213.10

www.googleapis.com

IN A

142.250.179.234

www.googleapis.com

IN A

142.250.187.202

www.googleapis.com

IN A

172.217.169.74

www.googleapis.com

IN A

142.250.200.10

www.googleapis.com

IN A

142.250.200.42

www.googleapis.com

IN A

142.250.180.10

www.googleapis.com

IN A

142.250.187.234

www.googleapis.com

IN A

216.58.201.106

www.googleapis.com

IN A

216.58.204.74

www.googleapis.com

IN A

172.217.16.234

www.googleapis.com

IN A

142.250.178.10

www.googleapis.com

IN A

172.217.169.42

www.googleapis.com

IN A

172.217.169.10
DNS

chrome.google.com

Remote address:

1.1.1.1:53

Request

chrome.google.com

IN A

Response

chrome.google.com

IN CNAME

www3.l.google.com

www3.l.google.com

IN A

142.250.200.14
DNS

228.16.217.172.in-addr.arpa

Remote address:

1.1.1.1:53

Request

228.16.217.172.in-addr.arpa

IN PTR

Response

228.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f41e100net

228.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f4�H
DNS

ctldl.windowsupdate.com

Remote address:

1.1.1.1:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.210.172

bg.microsoft.map.fastly.net

IN A

199.232.214.172
DNS

214.143.182.52.in-addr.arpa

Remote address:

1.1.1.1:53

Request

214.143.182.52.in-addr.arpa

IN PTR

Response
DNS

131.16.217.172.in-addr.arpa

Remote address:

1.1.1.1:53

Request

131.16.217.172.in-addr.arpa

IN PTR

Response

131.16.217.172.in-addr.arpa

IN PTR

zrh04s06-in-f1311e100net

131.16.217.172.in-addr.arpa

IN PTR

fra15s46-in-f3�J
DNS

f29cc861.solaraweb-aji.pages.dev

Remote address:

1.1.1.1:53

Request

f29cc861.solaraweb-aji.pages.dev

IN A

Response
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 429

date: Wed, 13 Nov 2024 22:56:23 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-store, no-cache, must-revalidate
content-type: text/html
server: HTTP server (unknown)
content-length: 3153
content-type: text/html
content-length: 3153
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CLqXywE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGJbd1LkGIjBIyrrH-jyPTfgXS0THdQBwMRdnCRfbcBJurunindStaIXxGfUkF9q5cAdtCjD3dysyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGJbd1LkGIjBIyrrH-jyPTfgXS0THdQBwMRdnCRfbcBJurunindStaIXxGfUkF9q5cAdtCjD3dysyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

14.200.250.142.in-addr.arpa

Remote address:

1.1.1.1:53

Request

14.200.250.142.in-addr.arpa

IN PTR

Response

14.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f141e100net
DNS

clients2.google.com

Remote address:

1.1.1.1:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.180.14
DNS

172.210.232.199.in-addr.arpa

Remote address:

1.1.1.1:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

f29cc861.solaraweb-aji.pages.dev

Remote address:

1.1.1.1:53

Request

f29cc861.solaraweb-aji.pages.dev

IN A

Response
DNS

f29cc861.solaraweb-aji.pages.dev

Remote address:

1.1.1.1:53

Request

f29cc861.solaraweb-aji.pages.dev

IN A

Response
DNS

f29cc861.solaraweb-aji.pages.dev

Remote address:

1.1.1.1:53

Request

f29cc861.solaraweb-aji.pages.dev

IN A

Response
DNS

10.213.58.216.in-addr.arpa

Remote address:

1.1.1.1:53

Request

10.213.58.216.in-addr.arpa

IN PTR

Response

10.213.58.216.in-addr.arpa

IN PTR

ber01s14-in-f101e100net

10.213.58.216.in-addr.arpa

IN PTR

lhr25s25-in-f10�H
DNS

clients2.googleusercontent.com

Remote address:

1.1.1.1:53

Request

clients2.googleusercontent.com

IN A

Response

clients2.googleusercontent.com

IN CNAME

googlehosted.l.googleusercontent.com

googlehosted.l.googleusercontent.com

IN A

172.217.16.225
DNS

nexusrules.officeapps.live.com

Remote address:

1.1.1.1:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.236.22
DNS

beacons.gcp.gvt2.com

Remote address:

1.1.1.1:53

Request

beacons.gcp.gvt2.com

IN A

Response

beacons.gcp.gvt2.com

IN CNAME

beacons-handoff.gcp.gvt2.com

beacons-handoff.gcp.gvt2.com

IN A

172.217.16.131
DNS

f29cc861.solaraweb-aji.pages.dev

Remote address:

1.1.1.1:53

Request

f29cc861.solaraweb-aji.pages.dev

IN A

Response
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D37%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D37%2526e%253D1

chrome.exe

Remote address:

142.250.180.14:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D37%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D37%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=22.SE=VlnMj_LnOCv9JIxcmx_gn0sjcmCcMma1VsgUhjycyYHsb3egPX3YJMvrK3E0vjZ2YS_01owGL5bILrWz2w5Fsf37X5efBRG9t8e8ImJ9EmGtDb8r_2AmKzSlYkhpnEBRVEHi5Tr4sH1A0tMxuZGe8KeeOrIZ9-cm6NiYCJLf33h9Wh5NcExWE-aixk5BMlGg2BM
GET

https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx

chrome.exe

Remote address:

172.217.16.225:443

Request

GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/2.0
host: clients2.googleusercontent.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.178.14
DNS

google.com

chrome.exe

Remote address:

1.1.1.1:53

Request

google.com

IN A

Response

google.com

IN A

142.250.187.238
POST

https://beacons.gcp.gvt2.com/domainreliability/upload

chrome.exe

Remote address:

172.217.16.131:443

Request

POST /domainreliability/upload HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 819
content-type: application/json; charset=utf-8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

google.com

chrome.exe

Remote address:

1.1.1.1:53

Request

google.com

IN A

Response

google.com

IN A

142.250.187.238
DNS

google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.178.14
DNS

google.com

chrome.exe

Remote address:

1.1.1.1:53

Request

google.com

IN A

Response

google.com

IN A

142.250.187.238
DNS

google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.178.14
DNS

google.com

chrome.exe

Remote address:

1.1.1.1:53

Request

google.com

IN A

Response

google.com

IN A

142.250.178.14
DNS

google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.178.14

104.21.93.27:443

getsolara.dev

tls

BootstrapperV1.23.exe

1.0kB
6.6kB
11
12
127.0.0.1:6463

BootstrapperV1.23.exe
128.116.119.4:443

clientsettings.roblox.com

tls

BootstrapperV1.23.exe

891 B
6.9kB
9
9
104.20.23.46:443

www.nodejs.org

tls

BootstrapperV1.23.exe

830 B
7.0kB
8
10
104.20.23.46:443

nodejs.org

tls

BootstrapperV1.23.exe

870.9kB
32.5MB
16179
23309
172.66.47.197:443

4d38a1ec.solaraweb-alj.pages.dev

tls

BootstrapperV1.23.exe

447.4kB
11.1MB
6904
7963
172.67.19.24:443

pastebin.com

tls

Solara.exe

805 B
4.6kB
8
8
128.116.119.4:443

clientsettings.roblox.com

tls

Solara.exe

893 B
6.9kB
9
9
172.217.16.228:443

https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGJbd1LkGIjBIyrrH-jyPTfgXS0THdQBwMRdnCRfbcBJurunindStaIXxGfUkF9q5cAdtCjD3dysyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

tls, http2

chrome.exe

2.6kB
13.3kB
23
25

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGJbd1LkGIjBIyrrH-jyPTfgXS0THdQBwMRdnCRfbcBJurunindStaIXxGfUkF9q5cAdtCjD3dysyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429
142.250.200.14:443

chrome.google.com

tls, http2

chrome.exe

1.2kB
8.2kB
11
11
142.250.180.14:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D37%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D37%2526e%253D1

tls, http2

chrome.exe

2.2kB
9.9kB
16
17

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D37%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D37%2526e%253D1
172.217.16.225:443

https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx

tls, http2

chrome.exe

4.8kB
153.7kB
79
119

HTTP Request

GET https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx
172.217.16.131:443

https://beacons.gcp.gvt2.com/domainreliability/upload

tls, http2

chrome.exe

2.6kB
6.6kB
17
15

HTTP Request

POST https://beacons.gcp.gvt2.com/domainreliability/upload

224.0.0.251:5353

chrome.exe

362 B
5
1.1.1.1:53

getsolara.dev

dns

BootstrapperV1.23.exe

1.4kB
2.6kB
20
20

DNS Request

getsolara.dev

DNS Response

104.21.93.27

172.67.203.125

DNS Request

27.93.21.104.in-addr.arpa

DNS Request

clientsettings.roblox.com

DNS Response

128.116.119.4

DNS Request

4.119.116.128.in-addr.arpa

DNS Request

www.nodejs.org

DNS Response

104.20.23.46

104.20.22.46

DNS Request

nodejs.org

DNS Response

104.20.23.46

104.20.22.46

DNS Request

46.23.20.104.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.214.172

199.232.210.172

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

crt.usertrust.com

DNS Response

172.64.149.23

104.18.38.233

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

4d38a1ec.solaraweb-alj.pages.dev

DNS Response

172.66.47.197

172.66.44.59

DNS Request

pastebin.com

DNS Response

172.67.19.24

104.20.4.235

104.20.3.235

DNS Request

clientservices.googleapis.com

DNS Response

142.250.179.227

DNS Request

www.google.com

DNS Response

172.217.16.228

DNS Request

227.179.250.142.in-addr.arpa

DNS Request

225.16.217.172.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

52.182.143.214

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

f29cc861.solaraweb-aji.pages.dev
1.1.1.1:53

23.149.64.172.in-addr.arpa

dns

708 B
1.6kB
10
10

DNS Request

23.149.64.172.in-addr.arpa

DNS Request

197.47.66.172.in-addr.arpa

DNS Request

24.19.67.172.in-addr.arpa

DNS Request

www.googleapis.com

DNS Response

216.58.213.10

142.250.179.234

142.250.187.202

172.217.169.74

142.250.200.10

142.250.200.42

142.250.180.10

142.250.187.234

216.58.201.106

216.58.204.74

172.217.16.234

142.250.178.10

172.217.169.42

172.217.169.10

DNS Request

chrome.google.com

DNS Response

142.250.200.14

DNS Request

228.16.217.172.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.210.172

199.232.214.172

DNS Request

214.143.182.52.in-addr.arpa

DNS Request

131.16.217.172.in-addr.arpa

DNS Request

f29cc861.solaraweb-aji.pages.dev
172.217.16.228:443

www.google.com

https

chrome.exe

4.1kB
14.2kB
16
18
1.1.1.1:53

14.200.250.142.in-addr.arpa

dns

446 B
762 B
6
6

DNS Request

14.200.250.142.in-addr.arpa

DNS Request

clients2.google.com

DNS Response

142.250.180.14

DNS Request

172.210.232.199.in-addr.arpa

DNS Request

f29cc861.solaraweb-aji.pages.dev

DNS Request

f29cc861.solaraweb-aji.pages.dev

DNS Request

f29cc861.solaraweb-aji.pages.dev
1.1.1.1:53

10.213.58.216.in-addr.arpa

dns

368 B
654 B
5
5

DNS Request

10.213.58.216.in-addr.arpa

DNS Request

clients2.googleusercontent.com

DNS Response

172.217.16.225

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.236.22

DNS Request

beacons.gcp.gvt2.com

DNS Response

172.217.16.131

DNS Request

f29cc861.solaraweb-aji.pages.dev
8.8.8.8:53

google.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.178.14
1.1.1.1:53

google.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.187.238
1.1.1.1:53

google.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.187.238
8.8.8.8:53

google.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.178.14
1.1.1.1:53

google.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.187.238
8.8.8.8:53

google.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.178.14
1.1.1.1:53

google.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.178.14
8.8.8.8:53

google.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.178.14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a849.rbs

Filesize
1.0MB

MD5
db3471e1995c3a27dd65a5cf82631a95

SHA1
824197a8af4b392b8540e32f7989b05fbbf815f7

SHA256
a8b04c3c4b17bad3844df378d5010e853bf2246acf0b6dff15012f6ba1a5c4fc

SHA512
67ab91446ff47e4e79482c208a7ef16a8a35e30ed25edda20793156e1242c56c8f8725334af3a226fc6269b771797015b36ae3e3996293d97cb45f792080bcf2

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
133KB

MD5
c6f770cbb24248537558c1f06f7ff855

SHA1
fdc2aaae292c32a58ea4d9974a31ece26628fdd7

SHA256
d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b

SHA512
cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cd5aac9e597d0f4c36f504ef44a1646f

SHA1
771e42e2972a42ba317e5fd816f44997aa20b9e5

SHA256
5dcf7afb1efd3ebd4a07afce1864b4aa117175992715af15a1aed7d772f66071

SHA512
2c77fd5abe885a6157bc162a6a2e21d7957265cea217e9cd5b17d344334e5c597feca1fe134426afece884f04c9a509c17fa31247cbf9229a1d4f5026b76dfb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
18fa58591a5560bc451223498588073f

SHA1
ce27e0846b7130f511edfb3a8df4c7886cecb50e

SHA256
5eef6b9e6157ae6f26215bd2c516e8ec5945165f0b9cb6363703965002dae396

SHA512
b80c9925e370028d0d3a426f4d4ffb6c7306cec9672771b9d22d9077f4843a9ab2c5d1bd9b04a3794c51d58203d1663c68b1e11cd24bb781a35140087b3c8f63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
59fed05aba80cb503b596ac41f5a1a44

SHA1
622aceaef718dde39ab6e1d5e82985b890a9385e

SHA256
a91dff733b3c58d872be39cc9d72628127bc7f1d04cd34adfad997f0e66cc479

SHA512
33888fc83309fab7981506510136f1eab97bb16227e4f37d2c529eaeea08b3ad2bda75fabb439724e4b9375126e117b3fb2670843ddcf3f9a94061fb74f7d16f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
bd01e146645694b8f97802e31b401cc9

SHA1
f0927dd00e8f7fb5bdd3a00ab289b7cab0f82c62

SHA256
797f1060ef128b3629e7fb5cef1ac202018d4b9e7777c52bd889f5a15a50a29a

SHA512
1b7df0d5040838dd02aeea78a5c42184d3d95ac0a47ee1d1aaac17226b3a0aebcbebaf9fb752473893afdb5ca547fdd19debb21b666134a8d74fa6e25d7b0862

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f43c5f143e3a4f9345f42f1b8e96cbd

SHA1
8b045aef3773ee80fed1de48068dbdf7ee9fc81e

SHA256
b2d70504a90b45a6f9b6741cd782d04ef80d4a15c36a2a61fc4af27308d91860

SHA512
23dcfb9b8164055b0834189f42b43ec0a7f534561ad2db9a9e28748fd4b447542a1c0f842e448aff1ec23e3f25d69ba748223ab2739980a92541b74c88266545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f3173a7f22c2e93a5b6cb0ca28fc51f

SHA1
df13b9241e606c79e7e8dcf8c9043e9dcdc60aa2

SHA256
87cb323e53cf0864d8f525975075f2acebf24704fdfec101877dfe077f30cd6b

SHA512
b04c113057d5668d2a9c91aefddbd30faa3253f807cbf801d6f4cf2689dc3306843ebdd5ecf394e2559b7c4632fcabcc9649d0fa27ee7141183e82ce86f03305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
559e5ac042f631df85c68148659caede

SHA1
d9d62a81f0599de0b17fd91a1e2d20e766c0ba3a

SHA256
3695e374aaa217de242fa49a415795c4c415c01a4b1fa5cc1317cd571144d609

SHA512
63114e3485bbd6d7cd05e71cfff2576482d1a57c6ecdceb58257c7c8250c9fc0dd1f36a9133dc15c6138a0a760762bc6b8cc541b02aee88bfb239dce83106d2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
820650bbe48d46137837e7c418976c9f

SHA1
922ee4ec446a7b6321472e6297941061daf04219

SHA256
279ebd8fc197f894d96c95b33b49078435c9af33544883d16740c1dbbaf3be63

SHA512
11c9434258264b00833a921736a3ec8fd5c10d97008c5fec940a4b6143e6944633d1d6aace061d31a20391b09169604a8d82ce74e1ff68c1d313f2b7d13db861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
adab133bb3ee2e55bf6631f605968c2b

SHA1
e58d75e950fe1db2c8d55dc725aaa66e5b4c9eab

SHA256
a76cbce0db7e44d9d9214403f2c71d5018f82e2eb1e0bd3f4ad29ba5a70efaac

SHA512
2c937b5a38d3b9994b0b50c6e3abbfdc0bb2b2373cc9a9b739db69f82b56493fe125062b1815ebc3f647db1b7c51b64ae01d87846a2422a721b8e2404ab337a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5d0ae9ad2600e773c6eb36e2a05e6e42

SHA1
0081c899904282e0354f0115798a93bd45db1f11

SHA256
f4d4350192a45b75a1d4321ee595b01a17702769291b1fbcb801ea077e5c18e8

SHA512
d48c9e4400055beb3d7562fecb4f6988bb289feb3b23e8abbdf9a41244590dc55a814c48a7f883acc92fceb22cbfaca4bd547a5819acc7a61171bf11de0a51a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9029e0f49fd5cec7130dea0e5a8d0acb

SHA1
1506e8598fc7ff88ea6f6d52ae19c31bcf256fe8

SHA256
bc9896154c364fa0267a233c50d3d5a67d9762acfbde18e3a3178294c05d4d57

SHA512
b956a4656ae3cc778d85f08a339f69a80f335fc7d89f8f6b02281b74e098b5df545968f20403fced434ebeb28ff3056d788570193157b5902bdc0213d376f37b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6004511d58e68a85b0fc94772b34934

SHA1
90559222cfe512b2a53cb0948e03e1088b59e357

SHA256
0ab4b793d0dba0d5876b232ff3f7c355fa42aae5eea172f3ff8a11d8bbd5f67c

SHA512
ee25c7464f5e4a762401831d94c717c1d73902e112f906b4ccd927079f64fa8e850b156543db076ae1cc2ff8fdfae4f610bd17c8a6ffec6fe370036b53c1d23b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc7b4876b54d2ddd8f23608433c980a4

SHA1
d3440acb1a241ee2cc1b6956f5aad6f4509596d7

SHA256
ebe9044ef218fec0ecc9d5887b9e6d7d589810bbf8901a249cc28a205f3c6e09

SHA512
eb39a4cf191e6dbf4b6eee79e640955494800fc0541f1384785b66d22531f2409d3f45c4028eaf79f2a0b3eff6fb55b86dd1271c11746fc0d9249a89de60b006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51a3880c88a5f59ebb7cd6536d08bda6

SHA1
c3bfb01fae44eda55e73bab1fa47a64f8bf75092

SHA256
71946776224c2dc542ae6f0a882dfa6b07b815dd22203ddc9a56d283325a2246

SHA512
a634239fa284862ea96a6a47d6263330809a68f5c32967d0cc67894007110cf8b4b80d55a85e3e9a6a78fa27be761c5fd041059eda661b2953045543f559f87e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2dacadb1c378e982cb194e30339be909

SHA1
6033c15e5d01a5f8961729660863d46cf3285758

SHA256
580dd5b1cd336db0433dad3a3b2e227bac2dd87f3294389f108239f736f019c2

SHA512
39be0a942e219d807d1141cb274541eec06baa6a9d7fe5ec9ea082a83ae52bba2b7944c08f5c07746634dd63ae6adbbb784ecf3266e89d5b67a3d17beec263f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
44645b96a2896d0ac9a65788bce457da

SHA1
da9cbff631ce94bfa17f91d5d58e9b703e9156bb

SHA256
3ab90f6b9554b9db601ac6797afae62eedcad39c1d25594bf9364297c33378c3

SHA512
a0c78056d02df7e50c790f2f17f22ca41c7db17f7372f4f34e20bccb1a0ab700990037993583c07c0e9c745e70c8590188c38c288cf458b881305aa9faf2ccb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e3688747241456b2cc50fbd60e2d6562

SHA1
6fa4b14d77e5cc9ca4d84b27d7f756e8db15103d

SHA256
97adcf31772bbab317339286133a0a8965f1ca539d8837e20ffa360bdb09db6d

SHA512
fe18c5ba7a6a64f4965fb9940b5d81a0154d38292b72ee76963d13b0e39410e0639b0006edc0c8a39753a015c39d7b4b5e9fe3d13b5e11ca5f23231991fc84f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
9b22108dd734c61c6bd1151da915d7bf

SHA1
376174f2d6336a7f177da75ab7b53397371a4713

SHA256
d33821d2da39c9fc547a9a16ca98d0237caa8326b9928f28d16c2e60de61935a

SHA512
aeeefebf92d19f28d271ee336ccee9cce05dfdce4d2f7ad6c0cbb0799477db0f02894f1ebab1400f63311e7be96d4ce1cc54c5105819407e6913b69c8c409981

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
4f63ba12a3265bdda95fb5a4716c2e4c

SHA1
a6ef01ce3c6f17b524075ec1b8c6dbc22ddcf02e

SHA256
e4bfc11bd6d23bd5ed38b7948bcb81f5db322bdf3b6dbb9d983d1aa89beb8f40

SHA512
453d428351ed15478808c6689b4cddb7d13ba75050d0ed5a521ceeac298d619ac2c88b588ad3c662340cd4ee062467b78e676f66395e46724360274a28ca2132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
5c733f6bf165c857d687c06e89453f11

SHA1
a830bf918eb7bfb7f0ba96a499e78a8e254b66d2

SHA256
dca5f0abc975c073c818d6ee68ed4bd699ded2ac04962f670c38fb18dc4b6aa4

SHA512
093cca098bbb67e32c3dff588c5d71d5c3ed528ff9d80cf4b0ee2c7ce482c65f0306efd6e258dec14c001be8d7b5f82d15a1b97520b712f1ec04c5121db3a419

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3496_1417628635\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3496_1417628635\cc01fddd-2969-4ffd-94bf-2952ed523a0d.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Windows\Installer\MSIAF1C.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIAF8B.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIB79C.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/2676-2804-0x000002877A1E0000-0x000002877A71C000-memory.dmp

Filesize
5.2MB

Download
memory/2676-2808-0x0000028779D60000-0x0000028779E12000-memory.dmp

Filesize
712KB

Download
memory/2676-2805-0x0000028779CA0000-0x0000028779D5A000-memory.dmp

Filesize
744KB

Download
memory/2676-2802-0x000002875F4A0000-0x000002875F4C4000-memory.dmp

Filesize
144KB

Download
memory/3584-10-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-0-0x00007FFB676F3000-0x00007FFB676F5000-memory.dmp

Filesize
8KB

Download
memory/3584-4-0x000001C2C8120000-0x000001C2C8142000-memory.dmp

Filesize
136KB

Download
memory/3584-2-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-2386-0x000001C2E2000000-0x000001C2E2012000-memory.dmp

Filesize
72KB

Download
memory/3584-1-0x000001C2C6240000-0x000001C2C630E000-memory.dmp

Filesize
824KB

Download
memory/3584-2384-0x000001C2E0CD0000-0x000001C2E0CDA000-memory.dmp

Filesize
40KB

Download
memory/3584-2809-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request