8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
300s
max time network
306s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-12-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 2 IoCs

pid	Process
2944	Solara.exe
4904	node.exe

Loads dropped DLL 11 IoCs

pid	Process
2260	MsiExec.exe
2260	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2096	MsiExec.exe
2680	MsiExec.exe
2680	MsiExec.exe
2680	MsiExec.exe
2260	MsiExec.exe

Unexpected DNS network traffic destination 34 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Blocklisted process makes network request 6 IoCs

flow	pid	Process
19	4472	msiexec.exe
21	4472	msiexec.exe
23	4472	msiexec.exe
21	4472	msiexec.exe
23	4472	msiexec.exe
19	4472	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	pastebin.com
45	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\columnify\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\configuring-npm\install.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-help-search.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\set-immediate.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\role.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\mod.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\man\cssesc.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\dist\abort-controller.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\readable.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\dist\npx.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\scripts.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\custom\zalgo.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\scope.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\blob.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\find.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\sigstore_trustroot.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\docs\binding.gyp-files-in-the-wild.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-rebuild.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\hosted-git-info\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\dir.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\MSVSProject.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\test.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\are-we-there-yet\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\string_decoder\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\CODE_OF_CONDUCT.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tlog\types\__generated__\hashedrekord.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\which.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-is-absolute\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\minor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\lib\_stream_duplex.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read-package-json-fast\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-prefix.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\dist\overloaded-parameters.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\fund.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-bundled\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\safer-buffer\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\encoding.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\jsonparse\examples\twitterfeed.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\convert\dmp.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\client\fulcio.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\aproba\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npmlog\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-core-module\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\graceful-fs\legacy-streams.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\lib\cache\policy.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\utils\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\ua.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\google\protobuf\timestamp.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tlog\types\__generated__\hashedrekord.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\utils\oid.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\fs\lib\write-file.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\gyp_main.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\errors-browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\template-item.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\lib\cache\key.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\run-script.js	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIFCA5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC75.tmp	msiexec.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\Installer\MSIF0F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E29.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ec29.msi	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF07A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF0E9.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ec25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ec25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FB0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI360A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF918.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1276	4784	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3820	ipconfig.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133790331008771411"	chrome.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1840	WMIC.exe
1840	WMIC.exe
1840	WMIC.exe
1840	WMIC.exe
1424	Bootstrapper.exe
1424	Bootstrapper.exe
4472	msiexec.exe
4472	msiexec.exe
2944	Solara.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
2788	chrome.exe
2788	chrome.exe
1536	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe
2788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemProfilePrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeProfSingleProcessPrivilege	1840	WMIC.exe
Token: SeIncBasePriorityPrivilege	1840	WMIC.exe
Token: SeCreatePagefilePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeDebugPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeRemoteShutdownPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: 33	1840	WMIC.exe
Token: 34	1840	WMIC.exe
Token: 35	1840	WMIC.exe
Token: 36	1840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemProfilePrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeProfSingleProcessPrivilege	1840	WMIC.exe
Token: SeIncBasePriorityPrivilege	1840	WMIC.exe
Token: SeCreatePagefilePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeDebugPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeRemoteShutdownPrivilege	1840	WMIC.exe
Token: SeUndockPrivilege	1840	WMIC.exe
Token: SeManageVolumePrivilege	1840	WMIC.exe
Token: 33	1840	WMIC.exe
Token: 34	1840	WMIC.exe
Token: 35	1840	WMIC.exe
Token: 36	1840	WMIC.exe
Token: SeDebugPrivilege	1424	Bootstrapper.exe
Token: SeShutdownPrivilege	2624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2624	msiexec.exe
Token: SeSecurityPrivilege	4472	msiexec.exe
Token: SeCreateTokenPrivilege	2624	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2624	msiexec.exe
Token: SeLockMemoryPrivilege	2624	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2624	msiexec.exe
Token: SeMachineAccountPrivilege	2624	msiexec.exe
Token: SeTcbPrivilege	2624	msiexec.exe
Token: SeSecurityPrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeLoadDriverPrivilege	2624	msiexec.exe
Token: SeSystemProfilePrivilege	2624	msiexec.exe
Token: SeSystemtimePrivilege	2624	msiexec.exe
Token: SeProfSingleProcessPrivilege	2624	msiexec.exe
Token: SeIncBasePriorityPrivilege	2624	msiexec.exe
Token: SeCreatePagefilePrivilege	2624	msiexec.exe
Token: SeCreatePermanentPrivilege	2624	msiexec.exe
Token: SeBackupPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeShutdownPrivilege	2624	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1424	Bootstrapper.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 384	1424	Bootstrapper.exe	80
PID 1424 wrote to memory of 384	1424	Bootstrapper.exe	80
PID 384 wrote to memory of 3820	384	cmd.exe	82
PID 384 wrote to memory of 3820	384	cmd.exe	82
PID 1424 wrote to memory of 3272	1424	Bootstrapper.exe	83
PID 1424 wrote to memory of 3272	1424	Bootstrapper.exe	83
PID 3272 wrote to memory of 1840	3272	cmd.exe	85
PID 3272 wrote to memory of 1840	3272	cmd.exe	85
PID 1424 wrote to memory of 2624	1424	Bootstrapper.exe	87
PID 1424 wrote to memory of 2624	1424	Bootstrapper.exe	87
PID 4472 wrote to memory of 2260	4472	msiexec.exe	90
PID 4472 wrote to memory of 2260	4472	msiexec.exe	90
PID 4472 wrote to memory of 2096	4472	msiexec.exe	91
PID 4472 wrote to memory of 2096	4472	msiexec.exe	91
PID 4472 wrote to memory of 2096	4472	msiexec.exe	91
PID 4472 wrote to memory of 2680	4472	msiexec.exe	102
PID 4472 wrote to memory of 2680	4472	msiexec.exe	102
PID 4472 wrote to memory of 2680	4472	msiexec.exe	102
PID 2680 wrote to memory of 4528	2680	MsiExec.exe	103
PID 2680 wrote to memory of 4528	2680	MsiExec.exe	103
PID 2680 wrote to memory of 4528	2680	MsiExec.exe	103
PID 4528 wrote to memory of 764	4528	wevtutil.exe	105
PID 4528 wrote to memory of 764	4528	wevtutil.exe	105
PID 1424 wrote to memory of 2944	1424	Bootstrapper.exe	107
PID 1424 wrote to memory of 2944	1424	Bootstrapper.exe	107
PID 4784 wrote to memory of 3380	4784	wmplayer.exe	117
PID 4784 wrote to memory of 3380	4784	wmplayer.exe	117
PID 4784 wrote to memory of 3380	4784	wmplayer.exe	117
PID 3380 wrote to memory of 1824	3380	unregmp2.exe	118
PID 3380 wrote to memory of 1824	3380	unregmp2.exe	118
PID 2788 wrote to memory of 3536	2788	chrome.exe	124
PID 2788 wrote to memory of 3536	2788	chrome.exe	124
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 2236	2788	chrome.exe	125
PID 2788 wrote to memory of 1876	2788	chrome.exe	126
PID 2788 wrote to memory of 1876	2788	chrome.exe	126

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\ProgramData\Solara\Solara.exe
  "C:\ProgramData\Solara\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding CA83B6B6BF0F79326E7EB97508AE3FC4
  2⤵
  - Loads dropped DLL
  PID:2260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 07905B56DC953F3E377070158D7E9798
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A984120D9646F4B77E0903D3EF7C1611 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:764

C:\Program Files\nodejs\node.exe
"C:\Program Files\nodejs\node.exe"
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4592

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    PID:1824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 3260
  2⤵
  - Program crash
  PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4784 -ip 4784
1⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x230,0x234,0x238,0x20c,0x94,0x7fffd837cc40,0x7fffd837cc4c,0x7fffd837cc58
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1992,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3816,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4068 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5112,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5132,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3416,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3236,i,9665116731308401224,8648670190046099860,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ec28.rbs

Filesize
1.0MB

MD5
2dc648345554629ff737168fe49b606f

SHA1
9258899d60019c790e0110d4fc05dc30ae5a6228

SHA256
c42024ad159a2ea2ae0b8c1fe1b9a39c2cbd5bf4f5eb38d1922f7b05135b6d16

SHA512
877e9b32bb89ea5f1529437ad1d79cfc55b4d63c3709d57a636572e725cb4ceab61f74bfaad358c981fac6d7a106864476a7545205c11841677804112af20fb5

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
133KB

MD5
c6f770cbb24248537558c1f06f7ff855

SHA1
fdc2aaae292c32a58ea4d9974a31ece26628fdd7

SHA256
d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b

SHA512
cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
73909210fad68e976d711e0ad4743f2c

SHA1
52718bb0f747126beba3346d1441f26d313f2a1e

SHA256
3307d9fae68f28cf5b5c2c3d7508623ab036b5f3b12d58438276969f6eba68c7

SHA512
ece3a12ba94795526ebf2d5850f604a89065a6c6d1c8a25fb32ada9d9005b61637d7433b9df5b7a068c0d4621bceb319afce3b5079f4acce47050d2e69633732

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1ba9374ba1fe7c69f2ad447e136de146

SHA1
8f67c33d6561784c14aafc7daab50613f80039d9

SHA256
3fbfe2e4616aa9055f7b4ec2829b59c7635a1c8f6e4c833a3c91e90ff476ac9e

SHA512
84ec175226dcda709a783588495920f3166a142f5895846884850c003ab56091fec180748e5db52b917996a415997febb994063ee5a0941737162b9d6993f0d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
307b8a958d5ecc03dbd6f08ef51f506c

SHA1
3fcc618d3b8578c8bee2bff26a2dc73e81dd4a5f

SHA256
6908ce46de6a2822a204174319cbd635ae3770803573cd83170fb310083dee65

SHA512
b5d9ba1f58093ef6bda2c6e11d6929a5fff702fd9f574bc8cf950bc8314de5f6e8030ac9f36876f27762b0911041eaee4b6a742f474da72ea9c46be7de6e768b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a8a70b8edc00a8dfcee74da762438c50

SHA1
0a0962d9f81b1745da1e1027889b105102a69c53

SHA256
7a15449e2e8b6c19089938e2dccd1fcaec60533c99f842e8a5e0c00165d9b2c0

SHA512
ed9b5891891e4a57c17fbd1821a1d56667ba85839c2cee13af88b3e33ee776fe01cdda873f09223248d28d2d279cbf65166ba9aa36149eb479ad74b0cc16e58e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4000eb38cf1419c694c996a52ed52ea3

SHA1
a8efd8847e6f8297adc5c8f292e9709863396479

SHA256
0845c8761c361e2a1d6d305a717675e8493075f7583ce78026bcf2fdc6fde59e

SHA512
4fe2c58c75762564d4165a401676056c8dba9856dbabcb0f84a76c346172b953b48b04d9303cfc25addba963efbc55266a3fef1b53a2f27ade6aaa159f2a967d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
189B

MD5
d6edf55ba7245fa305bedc92a9577e76

SHA1
c46140a5250b82a279cbb0e0822f1889101516fc

SHA256
df4a2f26fdd727d3ba0903b3d9a6674df2bd91a1fc2dd5d3e392b22d919cd578

SHA512
d1a064ac18a653ec8bf2b65edb9d4178af1ea37b09b9e581c63176fafa55659fdaab47c73ef0d9d915523e6d87f46856b572a3813ed231c8921e2c44b5f43564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
189B

MD5
ec3a804a691658193ee12eb7eba8a668

SHA1
fe6b98dad0708d3920e47857370f2dbbd5c0e721

SHA256
18e02f18a3a35ab095af3944a34d8a61be78e857f3be13ad5323eae3a44bf6c2

SHA512
e17e9a2248a379f7172e156fafbae531a9a43e975a406297c9b007e1a37a5b5ce10323f71cecba8bce7c98368b97b0eb47c3efdfa7e4f94b3c0ce9bb0cd88cf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
189B

MD5
ff2ed82e9d772e8e0a7fde5af4ee896e

SHA1
fa30c22af932012d70549efb508ef7bc20045120

SHA256
031db3787c9a27846dcd23c5b2dae5606b08d7cb78a81b50291db87fdbc92019

SHA512
3071c329900432246ca8194e830f3253d669b1199cc7b396db455ffdad0a77a7e8976bb6b1f7b1145007c87fb24a70f444363c7b41164ffe1d13b11401829cac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ffb4e1bc5e20cd63f445620498ce84cd

SHA1
bd5ab2cf6ac2dff65f1f85284ebe3d12b332d1d6

SHA256
7c7c6c52d2b83f55f34f67cc66b6d6b9721c6534f11e85b05ad965a2fcc1e234

SHA512
738c52bd5ae5c6d0874bc621f95eda73833be4c5c0281204ed35c443a2bc496d4cbcfe2a8870bb584f4f434124384f6a2343365903cabd7b913cb1a61d0e3d60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
884d781144904a93f47cb5efc8fded61

SHA1
957cbd52a25ce4854a18d0d2fcfa3c0aa59410d6

SHA256
514a079d77da6007604e726fe53c32d782c7e4417e53c51db6774393d0826acc

SHA512
7b68c8a710cf5e67829cdd629723a8eba94612a5b5e751f41ec01b209452244cde378f25f180becf9cf34744446c4927502d6462b213791191ac9793b98102a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f25794288bcff56b499f266b2fa56731

SHA1
d01122286450f51af8c0ad4ce41594895ba76cef

SHA256
42fff05c0a62dbe1197da6793a05ff5c7ccd7b196235c993dfa48cdc29606428

SHA512
676d3812c46512177f2941704d47d7bea726ac777c077f49621a0a1256bd5da62aad47ff750a125e367fc7f885e1160736c3d07c2222d10081aa6f8867176370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc066a92e0a2cdfa1af6836c2d7ab6f4

SHA1
48c387b14d360684a3e1c15cd1cfb9c5ebe6d3c0

SHA256
3fb0f84737a3760bd34c950a3469bfdc3a229da8cc41549b808b5f650c4925c7

SHA512
de4881e1f792069a5b1757340f4cc0ffeafdeda58bb87299c44a835d8b944f1249d6d0b01fd8c667eca262b2b091e77c8bdabdbbd3ec531710d2c67aa65d6096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0bc1d1a1727fa1bdce3b225fd20105a5

SHA1
94058091eebff46fa22afad2aaac1dddd6a0a1d0

SHA256
1c4b9a9a961d6910958eabc4343f26a61d877ff40e5781c055fe67ac0d4a466d

SHA512
657c8a1de018b719f0e5719942ea8eb5f45e33c92a69b46bae1037019f2343382c1442730718bc7e2536d9457436e60b6f10723504125deb2b423418fae65c70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1968d90fde4e5f91aae387893f1daa0e

SHA1
e351a820ed675a59e3d6183d74875c7779e36a06

SHA256
64683c1d80e6b054bb2522929fb250f2008fe8779e30cb6eebdea730c066fed5

SHA512
049085ab8102b1505769dcd1cd12cd84b13bafdb234ecdb3aa03ea6785eb204bede94d5d5287ecb02d168c4ea7b19add8a4fb33bb2ea7f700095c3201cb8a229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
efd50b7b9f2ebaad7ae3609cfcd0b7e7

SHA1
4910101fe54cf0b20222bb568a5f2dc5d200a518

SHA256
3893dca258e08f4f47573514e596df15888761da2935ebdf5a5c283f96c5fe49

SHA512
d0f56583bf2030c99765cdac84e49e1606e7da489514b9c2edc0b9e1fe94ef0e49e8fe03d77f520105525878bada0edb885450478a6c09cda24da8a609879e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b30d90c2e68662b025e36f5b5d8f942

SHA1
f8d738c3912c2463d4216172a0815c0b43d1909e

SHA256
7df1261de4ab1abd856c32ba6f00939c4c067ebce7f2810708c30284e8d6874e

SHA512
bce79b5946074847bfc06626f8cc69c5e8473f33ca6038ffebf0419d62ac735a26b42b2c3396cc3893bfbcd48d3af34baf42e42d8036693ffc858cbeb85f3257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d377663442b1987fbe29cba51ff233d

SHA1
6e62b74a8d5e5d0eaceca3ae3f14d20907a0871d

SHA256
e06441fb901a3d9e3b5830ce27a0c9a4831c72c669d5fc1bb5e8b1c90dc9db34

SHA512
ad09a693c869031914a7cce997b03c3e75025ce96a43265a08076daf090c30abeba72f74c2152e71414c8c6cdccad15dc645cb462c76b198c89262bf9a197a0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6a8638ac0a2cb01af3121bcbdbc10a21

SHA1
7a2ec5cfd21a7ce8c85aaad4a40269349ba2a5bc

SHA256
b299af237d6f31e3a1eb9bebfd49bbfd1b233839ad4abb60411e44d26843fd23

SHA512
2459b35b45b0f7c525862f33e6158073e0180ee356c419248448490c8d94950a62049b0d4b6379c2f9e9f33e3e0e88b2b373ed56b33b3a6af6782871d0624e68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20cc09fdb8d490c3ba4b9dbca74d6ec3

SHA1
357cc1c86659130b62b4e51e56624a7d07071707

SHA256
ed61892cbafb57d2f2906565a8f773b6c43608b372886a76702d11a0d42e3924

SHA512
19e1ea39b5e26c0596b90e10cc2011668628b24eb6250e80741417b739347f3066a9fea8034e4099438b821b72c3c5488cbe0a953eba1a700dc28137357155f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
46dc45b57551445f93085c7f7e80a37b

SHA1
9ae800cea004502da6655da4c8a5f1f2842feb1c

SHA256
17ae0e54a554857942df2e48fcbcf2dd778f91c0dcf909c5f6c5317f447154bd

SHA512
18a0f267cec8ca003bbb448b547aa3c4bb6a008ae50e6ff151db4ac3354ab98cbabd07a86a73ecc3c327b84722e6a085b6aa299f22dba1390b51296d06793df2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
f75f4c809ae6b1e6c41829102e3aa5a1

SHA1
8904f1b04171d123e36a014e32bf9db36ac21476

SHA256
ddf923c326bcfa5ee87cf38e330ca179e4cf51ea78f2fe7c898c1251feebb585

SHA512
fc5902e27a56b89cdacea510c67f567221a7e596edb809aba602fbb40df7704119cbbf3225f99b40474d9962cf7c802949f4c0465a7bf72453ac48c7fc10c8c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
deae7a7432e0b57c51e46e195cbb586e

SHA1
f28d2e92987b5bd8c1bcd8e719ee6af8bfd5cc0c

SHA256
6a69eac58e35557b50a83fad4ab60eaedf1d094f78ac7fda6c125fcd5ec5bc23

SHA512
32c2f6457d3145951fec8d4f729e77511ff6e9c1f00a9ee179f5971761697d368250ad49386b1ed3675a6eafcfc17905a1cc75924e490976bfb10759f5e8d7a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
280842d0124f295cbfbfeb2853954254

SHA1
01ec682e4cedfffbf0c1501309fdd5f0a3255280

SHA256
889b99a3c04bec8f493b1370dc6175846719ae36d9f7c06dcb9a082bf0e3e0a4

SHA512
eb035050011c720e2f8673675df2dd01afbc185f1bce43812740dc352a206b4e7c7097a997de0ab356b5d4ecdab1ea7f2d72e87ea7b64e7e15ef29658ccb07c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
0382b0a03aa791077543ea0ba3147827

SHA1
a686cc591d0004c7931a914e5c45d2a0d85468cb

SHA256
df97f29b5d66818eb1c3bd5489eb69994d03f2efe44b6e14faa39214c03823ed

SHA512
829b5d703c782730c0290533cbc81df82c20806541895f8bbf2604933a56218423d3ff2ccd5586532c28a4cc9fbbd03f1a97f9f0ff22c15b3226691d1a938906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
554891a536ea0d5ca68b94bbe5b9049b

SHA1
91c8723875b6a7b1efb888a44b15fe853dc8be6a

SHA256
fd7de1f4b40b68cae8b30afcbf3df01469a63f86152dbab7979fd87d81fee30b

SHA512
726bd119781e16f57d65f6aefe04e92783baddaf19e857aff7d7607dc65d5aaf1846580a422be4a35f374646785ac2a4afc7b8a2896d89b7402fbaffe8a96165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
7c76d8bf185412ae0d4e397f2763b3d8

SHA1
9cc441079af56244436992977b5eb1d4d4450204

SHA256
debbc8ded3d5aa6e11ca395d1fb59ae6b311fb55238b49e6881febe98c157e5e

SHA512
abc32645712c5ad38870aefc265fbe55c7df8eff8c0b0b9927be27a7194c4ddfad85da1b1539f63415b5e2abf93e5bd2634b35b7d561c61d6dcbcbdec5322619

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
0cc508624ae678944adf6088158d331e

SHA1
c16b1aee6c266bf52f154e2774cb7288500c5b71

SHA256
72a7ff75180386a8aed449c065e0df5c9d1333099da2c74d88f5f0e7e4fc46b5

SHA512
565142808fb272c6dd15811a3a99aa6c2fc8f035f566f5ab9c18ae7b84ad0a1e354a2f732f6f47f3db166ecde207a41ff16d7c446b7264daf2dbb49b9f43b2ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
d7c04f08bd4e583fb5927d888e79cb8a

SHA1
14a5bda6978c37c1999784b57e2d7ec18c309018

SHA256
cddbe970897efc6148214906410f823262cb61ca2495b64f9b98dd464feb7e69

SHA512
56ea6451b0dedbb438989bea4ad3d1f9af9189dc9e6abbdcb47c28686eda48a23a253101f6a13e37057056f66d421ca0d50d6aa0023eb7469eb38c275f91b34d

Download Submit
C:\Windows\Installer\MSIF07A.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIF0F9.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIFC75.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/1424-4-0x00000215B9760000-0x00000215B9782000-memory.dmp

Filesize
136KB

Download
memory/1424-29-0x00007FFFD88F0000-0x00007FFFD93B2000-memory.dmp

Filesize
10.8MB

Download
memory/1424-1-0x00000215B7A30000-0x00000215B7AFE000-memory.dmp

Filesize
824KB

Download
memory/1424-2386-0x00000215D21D0000-0x00000215D21E2000-memory.dmp

Filesize
72KB

Download
memory/1424-2809-0x00007FFFD88F0000-0x00007FFFD93B2000-memory.dmp

Filesize
10.8MB

Download
memory/1424-0-0x00007FFFD88F3000-0x00007FFFD88F5000-memory.dmp

Filesize
8KB

Download
memory/1424-2384-0x00000215B9800000-0x00000215B980A000-memory.dmp

Filesize
40KB

Download
memory/1424-2-0x00007FFFD88F0000-0x00007FFFD93B2000-memory.dmp

Filesize
10.8MB

Download
memory/2944-2810-0x000001FC41A10000-0x000001FC41ACA000-memory.dmp

Filesize
744KB

Download
memory/2944-2808-0x000001FC41E90000-0x000001FC423CC000-memory.dmp

Filesize
5.2MB

Download
memory/2944-2805-0x000001FC27350000-0x000001FC27374000-memory.dmp

Filesize
144KB

Download
memory/2944-2812-0x000001FC41AD0000-0x000001FC41B82000-memory.dmp

Filesize
712KB

Download
memory/4592-2824-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4592-2821-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4592-2822-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4592-2823-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4592-2825-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4592-2815-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4592-2826-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4592-2817-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4592-2827-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4592-2816-0x000002BF8E120000-0x000002BF8E121000-memory.dmp

Filesize
4KB

Download
memory/4784-2861-0x000000000A8E0000-0x000000000A8F0000-memory.dmp

Filesize
64KB

Download
memory/4784-2857-0x0000000008470000-0x0000000008480000-memory.dmp

Filesize
64KB

Download
memory/4784-2859-0x000000000A8E0000-0x000000000A8F0000-memory.dmp

Filesize
64KB

Download
memory/4784-2864-0x000000000A8E0000-0x000000000A8F0000-memory.dmp

Filesize
64KB

Download
memory/4784-2866-0x000000000A8E0000-0x000000000A8F0000-memory.dmp

Filesize
64KB

Download
memory/4784-2862-0x000000000A8E0000-0x000000000A8F0000-memory.dmp

Filesize
64KB

Download
memory/4784-2863-0x000000000A8E0000-0x000000000A8F0000-memory.dmp

Filesize
64KB

Download
memory/4784-2860-0x000000000A8E0000-0x000000000A8F0000-memory.dmp

Filesize
64KB

Download
memory/4784-2865-0x000000000A8E0000-0x000000000A8F0000-memory.dmp

Filesize
64KB

Download