xworm | 92928576a5025f65731d63ef466da320c30d77597870966a0ec1c8adb742495b

Analysis

max time kernel
150s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18/11/2024, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d7ba3966a48563f7e6b3e2161df4161.png
Size

174KB
MD5

3d83f69ea35a4f67a5affa842a02cda9
SHA1

0b02a589b5716d85163d6f0a275b5694370d8185
SHA256

92928576a5025f65731d63ef466da320c30d77597870966a0ec1c8adb742495b
SHA512

3f3f9bb917dc4957d160a4bb4d8b3a6238193d8b4dbab0514a95bd703682c74be936af9815ac03a65254ece579f251ea67443c8a045c1afb89b18ecda18617a5
SSDEEP

3072:hWLLhhZ7r1/DbdJnjtasC7vl9DX61WMRU1fFFQBSPFdOC5mfvq7atuQ:hWnlv1/PXjtaJ7HDX61dRU1NiyjA5tt

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

man-laughing.gl.at.ply.gg:57783

Attributes

Install_directory
%LocalAppData%
install_file
Windows Data Compiler.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2072-3265-0x00000000002C0000-0x00000000002D8000-memory.dmp	family_xworm
behavioral1/files/0x002000000002aa12-3305.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4908	powershell.exe
3372	powershell.exe
2076	powershell.exe
3040	powershell.exe
4876	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
4652	node.exe
388	node.exe
1000	node.exe
2072	cmd.exe

Loads dropped DLL 7 IoCs

pid	Process
3980	MsiExec.exe
3980	MsiExec.exe
2600	MsiExec.exe
2600	MsiExec.exe
2600	MsiExec.exe
3116	MsiExec.exe
3812	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4068	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\node_modules\whatwg-url\README.md	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\index.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\README.md	node.exe
File created	C:\Windows\system32\node_modules\webidl-conversions\README.md	node.exe
File created	C:\Windows\system32\node_modules\sudo-prompt\README.md	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\ensure\symlink-type.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\remove\index.js	node.exe
File created	C:\Windows\system32\node_modules\webidl-conversions\LICENSE.md	node.exe
File created	C:\Windows\system32\node_modules\jsonfile\package.json	node.exe
File created	C:\Windows\system32\node_modules\sudo-prompt\LICENSE	node.exe
File created	C:\Windows\system32\node_modules\whatwg-url\lib\utils.js	node.exe
File created	C:\Windows\system32\node_modules\graceful-fs\graceful-fs.js	node.exe
File created	C:\Windows\system32\node_modules\sudo-prompt\CHANGELOG.md	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\copy\index.js	node.exe
File created	C:\Windows\system32\node_modules\webidl-conversions\package.json	node.exe
File created	C:\Windows\system32\node_modules\whatwg-url\LICENSE.txt	node.exe
File created	C:\Windows\system32\node_modules\webidl-conversions\lib\index.js	node.exe
File opened for modification	C:\Windows\system32\node_modules\.bin\fixsolara.ps1	node.exe
File created	C:\Windows\system32\node_modules\.bin\fixsolara	node.exe
File created	C:\Windows\system32\node_modules\sudo-prompt\package.json	node.exe
File opened for modification	C:\Windows\system32\node_modules\.bin\fixsolara.cmd	node.exe
File created	C:\Windows\system32\node_modules\tr46\lib\mappingTable.json	node.exe
File created	C:\Windows\system32\node_modules\graceful-fs\clone.js	node.exe
File created	C:\Windows\system32\node_modules\jsonfile\index.js	node.exe
File created	C:\Windows\system32\node_modules\fixsolara\package.json	node.exe
File created	C:\Windows\system32\node_modules\node-fetch\lib\index.mjs	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\fs\index.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\util\stat.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\ensure\symlink-paths.js	node.exe
File created	C:\Windows\system32\node_modules\tr46\index.js	node.exe
File created	C:\Windows\system32\node_modules\graceful-fs\package.json	node.exe
File created	C:\Windows\system32\node_modules\node-fetch\LICENSE.md	node.exe
File created	C:\Windows\system32\node_modules\whatwg-url\lib\URL-impl.js	node.exe
File created	C:\Windows\system32\node_modules\graceful-fs\polyfills.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\mkdirs\index.js	node.exe
File created	C:\Windows\system32\node_modules\graceful-fs\README.md	node.exe
File created	C:\Windows\system32\node_modules\sudo-prompt\test-concurrent.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\ensure\file.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\json\jsonfile.js	node.exe
File created	C:\Windows\system32\node_modules\tr46\package.json	node.exe
File created	C:\Windows\system32\node_modules\graceful-fs\LICENSE	node.exe
File created	C:\Windows\system32\node_modules\graceful-fs\legacy-streams.js	node.exe
File opened for modification	C:\Windows\system32\node_modules\fixsolara\index.js	node.exe
File created	C:\Windows\system32\node_modules\whatwg-url\lib\URL.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\move\index.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\move\move-sync.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\ensure\symlink.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\util\utimes.js	node.exe
File created	C:\Windows\system32\node_modules\tr46\.npmignore	node.exe
File created	C:\Windows\system32\node_modules\sudo-prompt\index.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\move\move.js	node.exe
File created	C:\Windows\system32\node_modules\jsonfile\utils.js	node.exe
File created	C:\Windows\system32\node_modules\fixsolara\index.js	node.exe
File created	C:\Windows\system32\node_modules\jsonfile\CHANGELOG.md	node.exe
File created	C:\Windows\system32\node_modules\sudo-prompt\test.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\copy\copy-sync.js	node.exe
File created	C:\Windows\system32\node_modules\universalify\package.json	node.exe
File created	C:\Windows\system32\node_modules\node-fetch\browser.js	node.exe
File created	C:\Windows\system32\node_modules\jsonfile\LICENSE	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\json\output-json-sync.js	node.exe
File created	C:\Windows\system32\node_modules\.bin\fixsolara.cmd	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\copy\copy.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\empty\index.js	node.exe
File created	C:\Windows\system32\node_modules\fs-extra\lib\path-exists\index.js	node.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npx.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\printable.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@pkgjs\parseargs\examples\no-repeated-options.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@pkgjs\parseargs\examples\simple-hard-coded.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\extract.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\fs.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-completion.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\completion.sh	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-stars.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\crypto.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\agent\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\lib\cache\policy.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\pack.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\agent\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\examples\javascript\connectExample.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi-cjs\node_modules\ansi-styles\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\hash.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\err-code\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\.release-please-manifest.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\commonjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\retry-busy.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\rsort.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-deprecate.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\readdir-or-error.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\warn-mixin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-user-validate\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\smart-buffer\docs\ROADMAP.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\yarnpkg	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\lib\common\node.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\commonjs\mkdir.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\foreground-child\dist\esm\proxy-signals.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\ssri\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\unique-slug\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\npx.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\lib\common\get-options.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\redact\lib\server.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\major.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\ansi-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\npx.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-help.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\configuring-npm\npmrc.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\commonjs\types.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ci-info\vendors.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-dedupe.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\which.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\tables\shiftjis.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\parse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\chownr\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\create.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\lru-cache\dist\commonjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\commonjs\default-tmp.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\query-selector-all.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\package-json\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\pattern.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\package-json-from-dist\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\package.json	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e589b12.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4D8196AC3EEABDAC.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF5DF3123DEB015CC.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e589b14.msi	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CE7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCEE.tmp	msiexec.exe
File created	C:\Windows\Installer\e589b12.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D46.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD26.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2A5295D71280FD97.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7E5.tmp	msiexec.exe
File created	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF67C5978E025ABAC7.TMP	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000485242783223abf50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000485242780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090048524278000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d48524278000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004852427800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\ProductIcon = "C:\\Windows\\Installer\\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Version = "369819648"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\corepack	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\PackageName = "node-v22.11.0-x64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\ProductName = "Node.js"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\PackageCode = "7ADA4E96FE88DF64FB4F54512750A882"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\DocumentationShortcuts	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net	msiexec.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 908187.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\node-v22.11.0-x64.msi:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 265105.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
4828	msedge.exe
4828	msedge.exe
4060	identity_helper.exe
4060	identity_helper.exe
4288	msedge.exe
4288	msedge.exe
1032	chrome.exe
1032	chrome.exe
1236	msedge.exe
1236	msedge.exe
984	msiexec.exe
984	msiexec.exe
388	node.exe
388	node.exe
4876	powershell.exe
4876	powershell.exe
4908	powershell.exe
4908	powershell.exe
4908	powershell.exe
3372	powershell.exe
3372	powershell.exe
3372	powershell.exe
2076	powershell.exe
2076	powershell.exe
2076	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe
2072	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeSecurityPrivilege	984	msiexec.exe
Token: SeCreateTokenPrivilege	4268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4268	msiexec.exe
Token: SeLockMemoryPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeMachineAccountPrivilege	4268	msiexec.exe
Token: SeTcbPrivilege	4268	msiexec.exe
Token: SeSecurityPrivilege	4268	msiexec.exe
Token: SeTakeOwnershipPrivilege	4268	msiexec.exe
Token: SeLoadDriverPrivilege	4268	msiexec.exe
Token: SeSystemProfilePrivilege	4268	msiexec.exe
Token: SeSystemtimePrivilege	4268	msiexec.exe
Token: SeProfSingleProcessPrivilege	4268	msiexec.exe
Token: SeIncBasePriorityPrivilege	4268	msiexec.exe
Token: SeCreatePagefilePrivilege	4268	msiexec.exe
Token: SeCreatePermanentPrivilege	4268	msiexec.exe
Token: SeBackupPrivilege	4268	msiexec.exe
Token: SeRestorePrivilege	4268	msiexec.exe
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeDebugPrivilege	4268	msiexec.exe
Token: SeAuditPrivilege	4268	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4268	msiexec.exe
Token: SeChangeNotifyPrivilege	4268	msiexec.exe
Token: SeRemoteShutdownPrivilege	4268	msiexec.exe
Token: SeUndockPrivilege	4268	msiexec.exe
Token: SeSyncAgentPrivilege	4268	msiexec.exe
Token: SeEnableDelegationPrivilege	4268	msiexec.exe
Token: SeManageVolumePrivilege	4268	msiexec.exe
Token: SeImpersonatePrivilege	4268	msiexec.exe
Token: SeCreateGlobalPrivilege	4268	msiexec.exe
Token: SeCreateTokenPrivilege	4268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4268	msiexec.exe
Token: SeLockMemoryPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeMachineAccountPrivilege	4268	msiexec.exe
Token: SeTcbPrivilege	4268	msiexec.exe
Token: SeSecurityPrivilege	4268	msiexec.exe
Token: SeTakeOwnershipPrivilege	4268	msiexec.exe
Token: SeLoadDriverPrivilege	4268	msiexec.exe
Token: SeSystemProfilePrivilege	4268	msiexec.exe
Token: SeSystemtimePrivilege	4268	msiexec.exe
Token: SeProfSingleProcessPrivilege	4268	msiexec.exe
Token: SeIncBasePriorityPrivilege	4268	msiexec.exe
Token: SeCreatePagefilePrivilege	4268	msiexec.exe
Token: SeCreatePermanentPrivilege	4268	msiexec.exe
Token: SeBackupPrivilege	4268	msiexec.exe
Token: SeRestorePrivilege	4268	msiexec.exe
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeDebugPrivilege	4268	msiexec.exe
Token: SeAuditPrivilege	4268	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4268	msiexec.exe
Token: SeChangeNotifyPrivilege	4268	msiexec.exe
Token: SeRemoteShutdownPrivilege	4268	msiexec.exe
Token: SeUndockPrivilege	4268	msiexec.exe
Token: SeSyncAgentPrivilege	4268	msiexec.exe
Token: SeEnableDelegationPrivilege	4268	msiexec.exe
Token: SeManageVolumePrivilege	4268	msiexec.exe
Token: SeImpersonatePrivilege	4268	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe
3016	Taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3968	MiniSearchHost.exe
2072	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4524	5040	msedge.exe	85
PID 5040 wrote to memory of 4524	5040	msedge.exe	85
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 2072	5040	msedge.exe	86
PID 5040 wrote to memory of 4828	5040	msedge.exe	87
PID 5040 wrote to memory of 4828	5040	msedge.exe	87
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88
PID 5040 wrote to memory of 4612	5040	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\5d7ba3966a48563f7e6b3e2161df4161.png
1⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe99793cb8,0x7ffe99793cc8,0x7ffe99793cd8
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,17931263419117005136,11684615141155649067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1236
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\node-v22.11.0-x64.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe86b4cc40,0x7ffe86b4cc4c,0x7ffe86b4cc58
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2256,i,15666623933748974527,1010484447035644158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1624,i,15666623933748974527,1010484447035644158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2488 /prefetch:3
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1904,i,15666623933748974527,1010484447035644158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,15666623933748974527,1010484447035644158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,15666623933748974527,1010484447035644158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,15666623933748974527,1010484447035644158,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:2400

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3312

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 6C769805322B8D68E81BE4F54F61B513 C
  2⤵
  - Loads dropped DLL
  PID:3980
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1812
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 85A7144ED988ABB8A58F94C4A87BC745
  2⤵
  - Loads dropped DLL
  PID:2600
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 55D944341155ECADB216CA921D1854EB E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D5F54F3512AAEF222829C36917B57690
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:2620
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:4652
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i fixsolara
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c node index.js
    3⤵
    PID:4244
  - - C:\Program Files\nodejs\node.exe
      node index.js
      4⤵
      Executes dropped EXE
      PID:1000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\58df7c230b1b359cbeec054c2e49ca3b\execute.bat'" -WindowStyle hidden -Verb runAs"
        5⤵
        Hide Artifacts: Hidden Window
        
        PID:4068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\58df7c230b1b359cbeec054c2e49ca3b\execute.bat'" -WindowStyle hidden -Verb runAs
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\58df7c230b1b359cbeec054c2e49ca3b\execute.bat"
        7⤵
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Drops startup file
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cmd.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Data Compiler.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Compiler.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e589b13.rbs

Filesize
935KB

MD5
e8f9254c646442cc06dbbc7d7e38ee5f

SHA1
7f0371fa1f4794044adc6e3653f99770c4993730

SHA256
18ad94e929397661d58703d371f307d5c580b88df61af869ce347144fb20705e

SHA512
8660d97e3d2e2ea84e7ab7adce77aa2d5e58da6ebf4403f217a259dc2267a3b59a3533bb13ea604176bdd172087e0430390a6654dd26898d924924343751e338

Download Submit
C:\Program Files\nodejs\node_modules\npm\bin\npm-prefix.js

Filesize
864B

MD5
92dd1b5a463374142271ff420cb473a5

SHA1
a9f946c6a8c6f273f837703acc74c367b7781a99

SHA256
673f620e40137c295f2cf057364468bf3a71653dfc0973be895ebf7a8c368c2e

SHA512
5e0a6e4a9cff4b37acbece070a592a65ed044a78e1b104517eb5bb233d4398f67140b44e986e7a2de16bfb65b0ab7609e831341efea2a6f583258b6a85f70e01

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\index.js

Filesize
29KB

MD5
a2819bc319ade96e220b81c11ba1fd62

SHA1
f711920489d12ac7704e323de4cea98009299e7d

SHA256
9976a7f202a683370a170f8ab053d89cf6450c9d0596d8bed92bb762f0dca92e

SHA512
64b409c59d3e7df84ddd87163fb03f38d1bbed259323392685e01103ff9d2a43b456a5df5812e2bd3de61e0ae61520ccad444a92ea908a15bd871146630edd32

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\package.json

Filesize
1KB

MD5
901e577d669d97e811a11f172dfb6655

SHA1
25d518b50deb389e311821d64d4b0b106618d7c7

SHA256
245d5f0e2a7508229e1cd3ee5f518d93c99eb8280fb35f7df149fe5222bb8af5

SHA512
ead727e7e751b897e060abbfdbc97ffe8d2c3efb9baffaf922ff97d8d6366bd7cc0727e4355cc4679d065bd2892d2550ab3349b235d9b0e6e0475cb6bc59f397

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\@npmcli\fs\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\p-map\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\yallist\dist\commonjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\fs-minipass\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\lib\ini.js

Filesize
7KB

MD5
84b82e208b562cc8c5a48cf65e6ab0f0

SHA1
0adca343dd729beb86ebbb103f9d84e7ebbd17af

SHA256
481b00a4ebbfc83b28b97d32dccd32d7585b29b209930d4db457d91967f172ad

SHA512
377034e60d9d2ef3da96f23cb32f679754a67d3cd5991b1ad899f9f7c1910dcd0d9b0a1b0530046b6016896bd869a1607ef29c99949407959dcece6f9da790f5

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\package.json

Filesize
1KB

MD5
5b29ab3cad80b08ec094c8201333ebe8

SHA1
dee99f05b24963959159f1f061926e9075679be8

SHA256
94ebf2db52f15b5da55a809977e04f02b052abf418cb160a8d0719362295d867

SHA512
a6e66ade3de2cd308b1081548d2e58a87aad15baaa236c4dea73d36a946b6de352c3765d188f350c9311ebea0efc8b0068a8a7e0025e3dfdff84b737be4e475a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\package.json

Filesize
1KB

MD5
80bdf8901061eac24047d6b001499e89

SHA1
a99d447473406d5e862ae9337b7aee363a8d2f13

SHA256
8d349e100fdd613174f8b3c58149545e3d69a959b7fa3f466d457825575f5b3c

SHA512
b81099e82c23e809a558b8fb164338f3faa784e044d558daa4a09ab26179fc4594e170419f9e3d7b26baafb93d6981f001d2e8d3bab023767d219984b4769f03

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\LICENSE

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\proc-log\LICENSE

Filesize
757B

MD5
8bb6f78000746d4fa0baf4bdbf9e814e

SHA1
4b7049331119a63009aec376677b97c688266613

SHA256
a5103404e4615fa1ed46aef13082dd287bf4b95964e71ffdf198984b3d5882b8

SHA512
ee6874e77e33e0e0fe271ae706b344696201c1c204356e271705d9b0687bb597991c3b589d0fa6b6b38dd2933026c0996b37bc13062a5acb2fdc7f3359cdb262

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\dist\cjs\index.js

Filesize
474B

MD5
54bd6e9d21ed6021e374d34cfaa3290c

SHA1
e71ef5c7bf958f1599fce51cc98a73f849659380

SHA256
4e86e409d7506477caee910cb50f5bff1dda477878da923bd3888501e1a04036

SHA512
7424455a64824b7ffe72c3ed521684d7ab279b4cabb0fc018e9db04662a92af9187efe30f5a442c3418705895262de6e057858c3cda00c634df3cbc6eebb2407

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\package.json

Filesize
1KB

MD5
e6b2ad09f00a37da8012022f4b9e0461

SHA1
9af557e76ab4036536d792ca9b3c37d4720c0587

SHA256
2d43790293eb562918790e7fe2a786d86ed8e5a95b45d5e36587be0dbc8ddcd4

SHA512
9ea06c09a0837495bbae225d2913f55f53d5f81b4949bc1640d2cb460e3f61d4d39fbb88a959adc56ca7557870a069e1ec2a92b0c759b457731e93ecad8f9eb7

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\Program Files\nodejs\node_modules\npm\package.json

Filesize
6KB

MD5
a635c09a3ba36d76e04158ba070c32e2

SHA1
6bdda03a1e34946e25fced365eb9da0df97e9e29

SHA256
6f1feb793d2cfd5ba2c5c9aebe4cd7dbb2d44a401b99d48b14ea3b54cdef2446

SHA512
cac45d9a50fe2b7b786613b3de9dea31921bce05e2bdf5edf07cc3cb6e4a947486435b5ba7b23a34b8f674b04df5d69628c6954e159e7beb6e59b00893eae818

Download Submit
C:\Program Files\nodejs\npm.cmd

Filesize
538B

MD5
6895fc6423c97fbf721a71333137d1ca

SHA1
e0a531a3a869f2c3bb1ea91801a8a386d6aaf73e

SHA256
21b46c69ad6e2f231f02a9e120f4ba6c8e75fef5a45637103002eab99f888ab8

SHA512
0cdaa6bbeefeabf676839d88e96a096b13b9176bd936e11665ebf01e57540e131981a7bee4f113d2b5bd6858656f7cb689d29ee81d9f9e8d7f87d2d91e041ac0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
72b8c907a5d50eb4917010e78ef8a23b

SHA1
a3e7ebff0927ae76cecdedb6e81422be78786bd3

SHA256
f6424b15af9a46f0ebef4cc2ca73a2b534ed22b2acec189ee9233fd815187e20

SHA512
9def64b5fedadfe38456c608be144706fea63847b5fd4f636af048b2886d88779f8b1268eac2c33e1edf9cc07deaa64de3ab5504b8a16d19e2b03b22b3a08dcc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
eef4d122f8bf1654f2fa39587b4bc772

SHA1
44a154a863d3284a00dd52881534b35d0eedd6d0

SHA256
90dfae0c893bcfeca726e1c5ee01121213f1bf56f365ebcd24f8a2173b6b06d6

SHA512
27402871d4e035000ac1b9259d9631cc30815fe1982f6b2d2c1d6db082e2496f8d55547f65bb2dbfd77b3521fd66fc438bed7ddc5efe90e9914cdee5e2eeb4d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
21fa5777ea4ab164dae993a4b0bf6d72

SHA1
7208c8c8b18869ee177a2ccf891f1cb55fe2ea27

SHA256
a1bd67880fae968a874e4d7598edccde074fb3e75a1f44c3583cf19e379bf467

SHA512
7f1f193e41d23821272697a181c5c253c0de628150ba324e964f90ae23f1ead09b77344f9de3cec096019347bce2fd5b4f15bf1d580aef8a3c0f2998d8dff0f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
397ff398089ad38f837ed86c42e78205

SHA1
8aeb6f8664552b8486b41cbf7546219c5fc5e7d7

SHA256
712f75d7057e41be9228c2c7267c39993f3bd618b468d1e44c233bbe76cfed1d

SHA512
3ac2414e49638504a079a4e2b6ea08441fed868d1c3a3c0ae3ee99e64c6c61f03118483609751dab9da3ff5d7fa08c887661205017afd6e011d433bcbd26d0be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
40aaa5e271dc0ab71a84b27ed2d66fe7

SHA1
d9c390a3d762472668d821d71445f44e0c3fd8a8

SHA256
3846486b3cfdd79f6daa741e2be6844b517530591e6a60807f90ef22c31f75b1

SHA512
1be6e1cd70f5b831f9829ed1c102c7502d4100670485acc455b9b6e1cd3def89367846e69e2a0274e4b2d57263b93388f9ce3a967d1b0375a9748170a4b0e9fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
ee68394357d42091ffe3db6e31524f82

SHA1
28c891fe1aabaef77ef43cd05b744c55f78b6f22

SHA256
aba76a3723fb9888c38bd6731930534b8e2f57c299da4a31ed2bc65d4e86d839

SHA512
6c0c7efa0956371447392ff52a875cb4bb38aaa85c1c38f6b0e900bcc7329a01d48b7c5355a639f5d343bdf428d90a56856cb23c0d9d47b7428f54371fdcbed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
e411164521a741b20371092e39ac9819

SHA1
b70a841a2324997a9485f1510db8c6ce32696011

SHA256
2bca089cc7d97683a2df3d65af64979df1ca7dbf8ea65e46f087fb149755ad03

SHA512
64f77fc553c301c68d75d62116bf4c8664ccd42b16256a77157f62772c11ad024255984ca85bc83f37ad05784f4dd4ca733127aa46dce716c7271c8500827ffa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
05aaa71e5adbe688da2895a600c8c0f6

SHA1
22155070e9ea0555c4097919fa3488db0502f2ae

SHA256
35bc019b9149d060cd71e3501ee5e634709c295a78f12456633fb2f0ef93f80d

SHA512
70095e0c6d76b19120174e839f47cdbc9ec78d3364a0f6f678cb929fcc013c224b81c442402aa909f3a5e387a85f5742813a68e6136ea9d390ea74e63cbd49c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1151e28a595b8c978bde1493d00acd55

SHA1
a580adbb4f417bf8f0c70f6b2bfcf5be219cd5a1

SHA256
77dbf918918e34f237c96f13b2ac58124096caff4bdc0455b22e4df3dae8f361

SHA512
20bf952d68bf327ec5ad21111b070542bb9224d5d8ef40c23de0f70bceeb27372245acb7ade22e0e1b892752d88223e4fb79a6ac6eb0f3bce7d15b2744841cdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
463c2484bb42b0a1d17f07d6b0de55be

SHA1
fd0a76dcee7fa013f726c160567e8107af8cc890

SHA256
d1f59418350a2571226e59632e8bcf26ad46c064957d23dff3fde391c1dd3e6f

SHA512
b61113dd1c084c5108de1ce6ade77119c5e9f6b76f57f33052ee405c34be8d1de90771394fade4550d0ba79e37ff3992f0db6742bb84150af640125ce5f641cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
ae498824905b5172cd971620e9afee25

SHA1
a0daef61c7ab2334504324e094ecf22a164026cc

SHA256
013a5f531b6e8e8059da435f2ff88c253fafafabcb3f89f93916e2d4da661308

SHA512
80aef3a4cc85220aeddb04fb65ebaf3e55745caea53b2963e84bc358bf8dd5106a0feb117b65922765645c6f03736834e5243980e2c6813a9116a3702de9e8e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f4b5e9e2f2924a60b411a9ccdadba778

SHA1
6a2b7b909cd4d386df4368465c357115478678a2

SHA256
4592409aa64b2bc6eaa8d4aa7ece7d0b708254958d1187a76ea20b2ba286097a

SHA512
8a884575dd0d25d123fd2208bb6990d4487a5054513d9184afcbf975264b3384372d8193d91e04d10a648fd8ecbf53311d9c28cb20909f3e3c774d9e912c772e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
612B

MD5
def042ebbebaf73a5f5b830de59c7414

SHA1
b96ae73c95a1cbdd6ed6b4035a54f0775b0df49b

SHA256
e3f0f28d7cbc205f354db46f4d697a6dbd165fe18aa140945f0ff74e457b539c

SHA512
f185646cea0b12263ac2b947da77217bb4ce3a36eb2d278029fb048c3a501266bf8a4b7702c6eec1ddc598b74bea57745239ad8d55d63906d2dc28c3dbe5b6ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
476f94a9816f1d993069fc1026c7e004

SHA1
cb2611e5b15d3893a5f0e6472b8eb10e4a41e3fb

SHA256
1b4571782e6adba0aab5a1c4c3dd82207d9bcf8e2ff435dc8e187658bcb17ced

SHA512
df7c23767d359b8b36e9dea685f69e8bbf4ff247dd7be743c6527a2ab8a1280dfff9ba33f46977c9571ba38b9b065ce3f954d3104d1c53db7c2207fb600d825f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29caeaa0bfe2897576c3e6633e1a3a7e

SHA1
235810c5bbd2fdff80502633c8892f00f9baf841

SHA256
3bbfcd9f7b391886037d44f11849c515837ae3f444f392cea5925c0b4d920ca5

SHA512
750691fbe9b9d8b9a7c432c311a61f8110611a9dd34c852184031073d16d7df309a4af51fff318b818823c507a253b324303a7058973caa74f805cc1c139b9dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f4ea2ee91c8cb5eb2eb18bb08219309

SHA1
2d79bc1e78f9c602a81927b55a2b5d4aa9404740

SHA256
906ca3ad341d80291756cfd291209bcefb1db1707fadbadb0df0d625dbbb7031

SHA512
e6dfb777172ce9d065f49e92ff5d30fa3ccefdbc50cbc8b0f0102bfc0524ea3ebb188efdad866172172f3d86feaf60635569253ce4207d9db5bec5b905f5bc25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1d7a43706ff1c78506d72fad5e8e07a4

SHA1
350bd5abc072b3c6e26b788b3ed9f0bd55208107

SHA256
5f4283c485194ce4de8d5f774b704928794495adfe2b9d2172eb604df2e6f545

SHA512
28a1ded6840242ba5d545e0d5906f4319f55b75ee17cbacd115b1d543377956d42638455ea8ab93723ff062d64be441cf0b58c3bee6b333c225c6e68a0c66ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
9a6993133123cc4bdafa171e67da210a

SHA1
d1a713c98b135a68e0e640a80c8eedee784eff2e

SHA256
0d10e54f089fd452ee4bcd9c86670fb9fdedad81aabe18bacd3b7239d74225e6

SHA512
740ed50dd0cc3ae715e6520ddf55012a33e77ebcb56c6e4b6417189b396d4b47feb5c979b84e008ca87c2e91ad211daa0a520fef359f375b076c4d8874607eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
3697c2a2c2a96ffdb9000a1ff8d7eff6

SHA1
431e41b26faec665e83b0927092971f3049367a1

SHA256
7b37cf6d92e30bbe2f41fcb8b1664f67d2ee36a63fdaa7ce187fd26a9bf44a4a

SHA512
b077c5f83ae1a0d997398eb0032ba064a52ec63d6237d648d64862fb182a3d399a2cdff59a38b79b12c1b66fd9df861d40c32a77b636d0cb8da1ee64f517277b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f28e.TMP

Filesize
537B

MD5
50dad95bcb92689549b00286e529d246

SHA1
cb46fc79979a11ff0e84151de6ce6985df82a48b

SHA256
1f5de8b4ef88c542bd0793593cea4971d407ec7d3d92aec60b635b57e5a01783

SHA512
a2aac6daae05fd8b914522d4a1784d1fc19504081ef6f7df4efc778836c4e60ed2039601b42734235bfba8d454437cc21beb4a331d52f2a3eeccf520da462ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2e50d385f7aae82385720c2c08872d2e

SHA1
ee7b844f83cb1821ad9441f6bd64e3e26d42dbac

SHA256
93deb69c51f378a12adb874720cf6797597b3083f26af85dd0dc6e5a66a048d8

SHA512
0e0f09999c878a33dde3baf1386351312bacd622433be8ddd9ac3fa66f9fcb734b92864b28ae1f2344740168a6d10a4340d2e4e2df56cc61a932cc3e8043b8b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
97b53bbbded3ddfe520da01257f72a40

SHA1
a9e8698d68c3fe192126f6a7f32a495ab09babcd

SHA256
15c39860261f8393ca0f746e2a4008ddea40cce686d1883660a5b60da3f623f9

SHA512
008a830bd4f0779dd85df841ed54117bd307d8a7fced8b3f51494e36d8814c77735dedb350c03a636706837bc9c4d12029531a47f7ca7f5bc335f8d0c731b70e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6c23e9dab9a5893431dca81fb8a60abe

SHA1
71d7aba1df066d3c6ca324e4cef6bf0003458c3e

SHA256
60bffbeaeacef03e78cfbc4043217dc13a34df23eea18b7c74de88262589c10c

SHA512
ee9a7d59cd06667bc2d43a9009c4ae134e9d4f26fef2e1a5cc82f569c3ff83c924e6c71d8536ff2469da341c7fcbd82237491304820b641b4f338be17eeff509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7c353bbb0909259980c6a8480d9b4f15

SHA1
1f0ff51f5778d132e30f226371493a580cc73383

SHA256
4858b803ade986a5972213ac842b329d100e654d872c401824d7365a99267685

SHA512
ae772bb0f8a4bec70a827939ae37fa47a638e7b67594198bfaacb3f82d3278343f771fe1783c7ae811251ead06485666199467443ca3566265fe7e5eb3e393ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
3db2316a846ffe2502906ae64ba5e132

SHA1
0024694a8c3bff7d1305e5c1ed069602826ec9eb

SHA256
f1d1b887db9d85228c96bb44f9c545e7eeb484f3a2317ce0f4b5f9cbce370332

SHA512
9c85b9a84139bef03240195d282291d5fcc5de38579a1cc1592860524699371d68c5a00035da838adeb2c9956e9fc41e5646f05a048220efa6e04c412291364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI45BE.tmp

Filesize
144KB

MD5
7fa9d662d634534d7c2240dd126bdeee

SHA1
bd01e22ed2da0d0d485824b372ac67da683863d2

SHA256
c0e8683b697b3c6e55deb4497d3434d6e2cc841eb8c9a1b7d3f8907cff7de206

SHA512
cbc737e3eb94151c9dacaa5ee780cb550176ca2be2e0c66925884b5bc6222b7bcde5ed66e881f2a76f3d26edf5331abf0e74c819ad4f5fd7d0819bc4c138bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI467B.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztuzrk5p.rtl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Windows Data Compiler.exe

Filesize
73KB

MD5
4d06f782ea4baaa7e29f2c5f51881424

SHA1
05f011ea63cd2a858a810d1c4af731dd62e25475

SHA256
3c3d3296877df802b4f277b3ced693150e9f8277b99e24efbbc972518da25cc5

SHA512
1da805173099e7067b7be97d4189b542a61b6eab8ac7d24df638f71a8e6d18a133a5f8ad6bc4c912e06ad64c2852be9bdbfa14ac82870b5adfd786385f99423d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 908187.crdownload

Filesize
28.9MB

MD5
fa9e1f3064a66913362e9bff7097cef5

SHA1
b34f1f9a9f6242c54486a4bc453a9336840b4425

SHA256
9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

SHA512
ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f

Download Submit
C:\Users\Admin\Downloads\node-v22.11.0-x64.msi:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Installer\MSIFCEE.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
00e7a1225d48b9545b1999a748d07477

SHA1
bd5ecebce133c27b4d60ddba00f0b7663395dec3

SHA256
79a57560d5e41dcf3b2ab2886372e88db6023ad832e6c537e43e742e8eb88414

SHA512
04def146e8ce87f1bfbf4c9a58d16c778fd2c2865fc938bc07b41db1e5501d727114fe51383228ed4dca3239b58be066e604df71f724b0d1c949c5a88672c6c5

Download Submit
\??\Volume{78425248-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cd2d2060-0180-4e2e-818a-f86ae99f2965}_OnDiskSnapshotProp

Filesize
6KB

MD5
640aeef0afa7c10b81ec7a3c266d53e5

SHA1
986f4305aafc4d31cacfa42d2d7f396f11bf00eb

SHA256
12396604c46e598dd59c8336e2c87c2ca53d81cdbe3fd107fd09776ed8e96c11

SHA512
c1dd47b494f1faf30ec3356d968025ca48290394f66051418fb98866a7a8c192a3ae51aa7a69761d7f763dae3aa27db306f31f5a73d93d0f013d2004af20c98b

Download Submit
memory/2072-3265-0x00000000002C0000-0x00000000002D8000-memory.dmp

Filesize
96KB

Download
memory/3016-3329-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/3016-3328-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/3016-3330-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/3016-3340-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/3016-3339-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/3016-3338-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/3016-3337-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/3016-3336-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/3016-3335-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/3016-3334-0x000001C102890000-0x000001C102891000-memory.dmp

Filesize
4KB

Download
memory/4876-3258-0x000001BB6B970000-0x000001BB6B992000-memory.dmp

Filesize
136KB

Download