9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

Resubmissions

19-12-2024 13:09

241219-qdzx4stlfy 10

18-12-2024 23:58

18-12-2024 23:03

18-12-2024 22:59

18-12-2024 22:44

18-12-2024 22:36

18-12-2024 22:31

Analysis

max time kernel
149s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node-v22.11.0-x64.msi
Size

28.9MB
MD5

fa9e1f3064a66913362e9bff7097cef5
SHA1

b34f1f9a9f6242c54486a4bc453a9336840b4425
SHA256

9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b
SHA512

ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f
SSDEEP

786432:EtShU+9S49htlhk3tKuiU9IsO9IP1/lBMS8k4:EAUK/U9IN961/l

Score

7^/10

discovery persistence phishing privilege_escalation

Malware Config

Signatures

A potential corporate email address has been identified in the URL: currency-file@1
phishing

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3700	msiexec.exe
3	3700	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
22	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\list.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\mjs\path-arg.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass\dist\commonjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\lib\retry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\commonjs\rimraf-native.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\platform.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\readdir-or-error.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\supports-color\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\walker.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\json-stringify-nice\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\which\node_modules\isexe\dist\cjs\win32.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\replace.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\x509\sct.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\link-gently.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\entry-index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\nopt\lib\debug.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@pkgjs\parseargs\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\run-script\lib\run-script-pkg.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\rimraf-move-remove.d.ts.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\re.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-outdated.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-diff.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\package-json\lib\update-scripts.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cross-spawn\lib\util\resolveCommand.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\http-cache-semantics\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\commonjs\opt-arg.d.ts.map	msiexec.exe
File created	C:\Program Files\nodejs\npx.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\lib\provenance.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\body.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\util\add-git-sha.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\util\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\strip-ansi\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\unpack.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\base.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\start.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\package-json\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\esm\mod.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\tables\big5-added.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\SECURITY.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\node-gyp-bin\node-gyp	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\audit.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\RGI_Emoji.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\mod.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\eq.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\@npmcli\fs\lib\common\node.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-access.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-install-checks\lib\dev-engines.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\examples\javascript\associateExample.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\gyp_main.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\exponential-backoff\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ms\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\headers.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\minipass-fetch\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\star.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\make-fetch-happen\lib\pipeline.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\commonjs\path-arg.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sprintf-js\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-ls.1	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e581f89.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF63B80803841033E8.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B51.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2101.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC160B34FCACBE92A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI499B.tmp	msiexec.exe
File created	C:\Windows\Installer\e581f89.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2875.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2BE6F81F5A5DD152.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2083.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC5A706A7E5FDE96C.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25C5.tmp	msiexec.exe
File created	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e581f8b.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
5084	node.exe

Loads dropped DLL 7 IoCs

pid	Process
3328	MsiExec.exe
3328	MsiExec.exe
992	MsiExec.exe
992	MsiExec.exe
992	MsiExec.exe
5116	MsiExec.exe
3344	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3700	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004c79797f2efc73ee0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004c79797f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004c79797f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4c79797f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004c79797f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\PackageCode = "7ADA4E96FE88DF64FB4F54512750A882"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\corepack	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\PackageName = "node-v22.11.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\ProductName = "Node.js"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Version = "369819648"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\ProductIcon = "C:\\Windows\\Installer\\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\DocumentationShortcuts	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3436	msiexec.exe
3436	msiexec.exe
568	msedge.exe
568	msedge.exe
3348	msedge.exe
3348	msedge.exe
2684	msedge.exe
2684	msedge.exe
3796	identity_helper.exe
3796	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1544	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3700	msiexec.exe
Token: SeSecurityPrivilege	3436	msiexec.exe
Token: SeCreateTokenPrivilege	3700	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3700	msiexec.exe
Token: SeLockMemoryPrivilege	3700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3700	msiexec.exe
Token: SeMachineAccountPrivilege	3700	msiexec.exe
Token: SeTcbPrivilege	3700	msiexec.exe
Token: SeSecurityPrivilege	3700	msiexec.exe
Token: SeTakeOwnershipPrivilege	3700	msiexec.exe
Token: SeLoadDriverPrivilege	3700	msiexec.exe
Token: SeSystemProfilePrivilege	3700	msiexec.exe
Token: SeSystemtimePrivilege	3700	msiexec.exe
Token: SeProfSingleProcessPrivilege	3700	msiexec.exe
Token: SeIncBasePriorityPrivilege	3700	msiexec.exe
Token: SeCreatePagefilePrivilege	3700	msiexec.exe
Token: SeCreatePermanentPrivilege	3700	msiexec.exe
Token: SeBackupPrivilege	3700	msiexec.exe
Token: SeRestorePrivilege	3700	msiexec.exe
Token: SeShutdownPrivilege	3700	msiexec.exe
Token: SeDebugPrivilege	3700	msiexec.exe
Token: SeAuditPrivilege	3700	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3700	msiexec.exe
Token: SeChangeNotifyPrivilege	3700	msiexec.exe
Token: SeRemoteShutdownPrivilege	3700	msiexec.exe
Token: SeUndockPrivilege	3700	msiexec.exe
Token: SeSyncAgentPrivilege	3700	msiexec.exe
Token: SeEnableDelegationPrivilege	3700	msiexec.exe
Token: SeManageVolumePrivilege	3700	msiexec.exe
Token: SeImpersonatePrivilege	3700	msiexec.exe
Token: SeCreateGlobalPrivilege	3700	msiexec.exe
Token: SeCreateTokenPrivilege	3700	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3700	msiexec.exe
Token: SeLockMemoryPrivilege	3700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3700	msiexec.exe
Token: SeMachineAccountPrivilege	3700	msiexec.exe
Token: SeTcbPrivilege	3700	msiexec.exe
Token: SeSecurityPrivilege	3700	msiexec.exe
Token: SeTakeOwnershipPrivilege	3700	msiexec.exe
Token: SeLoadDriverPrivilege	3700	msiexec.exe
Token: SeSystemProfilePrivilege	3700	msiexec.exe
Token: SeSystemtimePrivilege	3700	msiexec.exe
Token: SeProfSingleProcessPrivilege	3700	msiexec.exe
Token: SeIncBasePriorityPrivilege	3700	msiexec.exe
Token: SeCreatePagefilePrivilege	3700	msiexec.exe
Token: SeCreatePermanentPrivilege	3700	msiexec.exe
Token: SeBackupPrivilege	3700	msiexec.exe
Token: SeRestorePrivilege	3700	msiexec.exe
Token: SeShutdownPrivilege	3700	msiexec.exe
Token: SeDebugPrivilege	3700	msiexec.exe
Token: SeAuditPrivilege	3700	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3700	msiexec.exe
Token: SeChangeNotifyPrivilege	3700	msiexec.exe
Token: SeRemoteShutdownPrivilege	3700	msiexec.exe
Token: SeUndockPrivilege	3700	msiexec.exe
Token: SeSyncAgentPrivilege	3700	msiexec.exe
Token: SeEnableDelegationPrivilege	3700	msiexec.exe
Token: SeManageVolumePrivilege	3700	msiexec.exe
Token: SeImpersonatePrivilege	3700	msiexec.exe
Token: SeCreateGlobalPrivilege	3700	msiexec.exe
Token: SeCreateTokenPrivilege	3700	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3700	msiexec.exe
Token: SeLockMemoryPrivilege	3700	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3700	msiexec.exe
3700	msiexec.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe
568	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe
1544	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3328	3436	msiexec.exe	80
PID 3436 wrote to memory of 3328	3436	msiexec.exe	80
PID 3436 wrote to memory of 1952	3436	msiexec.exe	84
PID 3436 wrote to memory of 1952	3436	msiexec.exe	84
PID 3436 wrote to memory of 992	3436	msiexec.exe	86
PID 3436 wrote to memory of 992	3436	msiexec.exe	86
PID 3436 wrote to memory of 5116	3436	msiexec.exe	87
PID 3436 wrote to memory of 5116	3436	msiexec.exe	87
PID 3436 wrote to memory of 3344	3436	msiexec.exe	89
PID 3436 wrote to memory of 3344	3436	msiexec.exe	89
PID 3436 wrote to memory of 3344	3436	msiexec.exe	89
PID 568 wrote to memory of 560	568	msedge.exe	92
PID 568 wrote to memory of 560	568	msedge.exe	92
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3608	568	msedge.exe	93
PID 568 wrote to memory of 3348	568	msedge.exe	94
PID 568 wrote to memory of 3348	568	msedge.exe	94
PID 568 wrote to memory of 2856	568	msedge.exe	95
PID 568 wrote to memory of 2856	568	msedge.exe	95
PID 568 wrote to memory of 2856	568	msedge.exe	95
PID 568 wrote to memory of 2856	568	msedge.exe	95
PID 568 wrote to memory of 2856	568	msedge.exe	95
PID 568 wrote to memory of 2856	568	msedge.exe	95
PID 568 wrote to memory of 2856	568	msedge.exe	95
PID 568 wrote to memory of 2856	568	msedge.exe	95
PID 568 wrote to memory of 2856	568	msedge.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v22.11.0-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3700

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C834DB358C18164097EFF36098330CF0 C
  2⤵
  - Loads dropped DLL
  PID:3328
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1952
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 02D203B9A44C85DD973CABAFE6E72A4C
  2⤵
  - Loads dropped DLL
  PID:992
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 67FA2BC8AC318F13F41DBBCACD3AEAE9 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0B06FCD9C41BDDDD3DB68034BEABA1A1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd912e3cb8,0x7ffd912e3cc8,0x7ffd912e3cd8
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,2868611729410765632,6174226378127124165,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:2388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1404
- C:\Program Files\nodejs\node.exe
  node
  2⤵
  - Executes dropped EXE
  PID:5084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
PID:3124

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2232
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581f8a.rbs

Filesize
935KB

MD5
9000cee7a1103d8c0a982c0d5b4505e9

SHA1
a4ddf00362d8321506c223d0ee2449d4393f873e

SHA256
fa705ff6cd2c918c2becb8cb8fa6913ce4cb0d11c1263ce5c9cc3ca510a2e985

SHA512
c7e302d74a32f328d47e831c1269a39f02d95efa65b6b69b02f24d69686245462020576816da4b5611aacdb56a640b5945a66305a75c6aa577c9fbca40fde450

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\@npmcli\fs\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\p-map\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\yallist\dist\commonjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\fs-minipass\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\LICENSE

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\proc-log\LICENSE

Filesize
757B

MD5
8bb6f78000746d4fa0baf4bdbf9e814e

SHA1
4b7049331119a63009aec376677b97c688266613

SHA256
a5103404e4615fa1ed46aef13082dd287bf4b95964e71ffdf198984b3d5882b8

SHA512
ee6874e77e33e0e0fe271ae706b344696201c1c204356e271705d9b0687bb597991c3b589d0fa6b6b38dd2933026c0996b37bc13062a5acb2fdc7f3359cdb262

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
72b8c907a5d50eb4917010e78ef8a23b

SHA1
a3e7ebff0927ae76cecdedb6e81422be78786bd3

SHA256
f6424b15af9a46f0ebef4cc2ca73a2b534ed22b2acec189ee9233fd815187e20

SHA512
9def64b5fedadfe38456c608be144706fea63847b5fd4f636af048b2886d88779f8b1268eac2c33e1edf9cc07deaa64de3ab5504b8a16d19e2b03b22b3a08dcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
159239844fe85a7b6b4358e3dfb73039

SHA1
27f9fdb4b407665cb8446171b56bae1dbbf05041

SHA256
54f705bfa7da9d40819e923eacce8a3b1dde70b2196e0cea0893f7c287b2acae

SHA512
059596d7267046d98d7cda1a1af7311c2a8d4c2c32a864a99fbaeaa1568cd9d1c37a7869ff3eaaf344d2ec410cdff97c81cedc1cce1e7e48935ffecc7d76615c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
92e2c8647142881c6854724d3e3d0aac

SHA1
d7d2a39374b3e913f6981fb5af3ccf47c02b0e84

SHA256
e911720fd72f86ac93c5a1b292a9a7d1b316ab09886a21ce211fc7adaae950dc

SHA512
22f91907b1a417153ec66f17117ae1ee5b2da7a13dade25ae0690248931ec73dd06f49776c1e7124afe8b067d62db7fefc90c1777a5c93e4a22403c66c8198fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
6e8abcfde63a04d6c0f7fae95d6f98a8

SHA1
d8c3bd8e7a0d18fd4435a0842dc1f4fc4b76f367

SHA256
25f012ae852b065244e4312ad1dd00dfb30b151c2cdf97024d49665a04d9ef2d

SHA512
4577c8e553d326b1a1c4f93cb6a8dd40486f8d9cad3009fd8a2006f4749667dd10999ae198aa9e37569a8e88f3b5d28819872f7e572a5b4ccc05eafb0cd1942f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
637844a8c8d715c3f018e28670d1b310

SHA1
7149c8922c106fb2dbebce71044d1f4295425949

SHA256
9db3c868d3b7b0d2f61caf469e2041c585eea07f4b18b24423a9aef140dbd759

SHA512
1fbc3abe1ad99a19303f49856e5fa494e4866bf2744420341298ace4f69a3cb6d084a710abc66a95e6095d96af24a5649aa492db92697709c15bcc365693e287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
7600793509d8ba5cb3713bdc2c8a9a54

SHA1
dd7e7c9ef3e22b2857e854a6d218255725238096

SHA256
ba0f51874f056bbb670b70d4b9a352d7955964196a048a35f4f4870104ccb1d1

SHA512
4c00b396813f8257008bd506c12200181d83a3519a1088ddfd874fb943111c401b55feb445bcbeed3136216cdcf1d9b56815383b72825262e5d5c2564654c6e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
5fe978a72532c9637480771663545663

SHA1
163b790f5d8a1d1f08a2ca14ca31b019cb535f2b

SHA256
9425f038aeb869eb47d1408cc648ba73036b66a7d9cfe717bc703288bf2597c1

SHA512
b180e604bf92c5995f3d489cbd446a570c0fb4b5338f4e5ca3cf43af25bc352871bc2ad8f6ee3da4cb03de98fd5f7a37010348f48897d1280bd403762ddaceff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
fc55144f9438451baf3b7e6ae8c8d8ff

SHA1
29963534261f33eedeb49fcc470d2b03a924f8aa

SHA256
3a6b32bdde39a7f0336a3f7d5220c6c6898bd9d38bfb43646657fb8337277fc0

SHA512
666b8f2efcf87d571507c7fcac83eed0e86df58d9bb2f07760ebf26d2fe7a3a7700e57ecdb7c34056bf83ee296cf7089731df8c6129989265bae431555b7aebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
ee43d47b02db6100d15f7c8b885ea129

SHA1
1ff0184ff4ec5e77da2027c4b0d1d5ec5e079b7f

SHA256
33e5ec003c65bde3edc8da117a5c9e19bd849556587dea72bb538b36a52e1751

SHA512
7385397b65f863d108fb3960dd59047f318eaea1dc6e05423a815e7f0c04bcbf7744a3bacc3f9c9a6083b64a06a3df40d7e9d1caf60a499d20dc23a648acabca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aa267697396a4781a9f10dd590534e90

SHA1
ab412deed0cbfa89c735f5a3faa5c335f67d4c1e

SHA256
62f4843da4c3c844141813b04d16470d688dbdd8f7bea3258dc7c86285c0295e

SHA512
0dd644f992e396502209670b76a31893a79004b8646b491ecd13e2dfc68f2927812ccf82483cafa84fa84d6fcb2dc4679a7f819ee4f960e4b95054965c5d23a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
a675a4c0b2e458df711553d3c2abc3fa

SHA1
fc3c2b37e5bb5dc534ebc21f0a034d254b31cbc6

SHA256
2fda517e6c12926024605c87dde6d62ca3aec4751f46b12eaf9cb866000458b8

SHA512
ac0e49719140e3b1744e2eb691dad2211da4436910e686a3972aeab5c91a71204271cbc00d56ab023d950471181e41c86b633608c87f00b7afac6f616e55859a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
edd535d8c0c3f649f9fc03836141f381

SHA1
33f6910f4fe6a260d54cf343ff1e1c4707fc69ba

SHA256
a56715ca4a37237858bd8528a6f48545b9b32c124061aca5fa24cd94b45b1dc0

SHA512
d029456b6caee0edf8edb36d6f33ead3fe68e35276c84402c1b5a22ecc2678905b2e310402c0340c666bbe413ed32a51dde5d4164b02d986c5dec2721a97c068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dd119f754692827964f217d7cf3ecfa1

SHA1
d07de7c2ec53132e8a53de075e238e77d85535ec

SHA256
1c1cfbdbcd611d16d8c78051127f6f7be03f3db6b814b5632e648a57188cdae5

SHA512
63cbdf782223340c459c5df0f61a50f499a33c27441f95afbb06785193c4e1ae27d52f101e6a10a11a9ced35cb800b3688145e7fdde19959e6544b26e9b73ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
38e1acd90c970a4464f30730bf2420d0

SHA1
919e44a3b810cf7a4d6f3d9b43cd0e937deeea1c

SHA256
04533d0c6ce930e1b3e8945b54046ecf6c97974c8f8e8acadef5bae47bf0fccd

SHA512
78aca8084d4d08dbd287bc4374430c295deb2a7fa3630435003034d8e1fa39b0fdb0e2a2d0055d76a9bf16644c773f6236b4fdaed778e5291211d154080a8bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3e2f0cc0cee798151414712eae72da7

SHA1
75127c5f84df0544fbb34e89fb5bae97d79104aa

SHA256
24a27598d1779b666cfd5728cff61666902d0ca6536584afee6f341966c70e38

SHA512
9c975917eea04a3fdf5369a1f69dafb6d06e82864a635c2204898a4dd18c43b59cfb831cb3a4df6b791359449430f70ffa792288d989e7dbc082224ef6bb2eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b3a6e5a48f105e44fe0b0d9c2285c24

SHA1
0f7b0e57b374c875aac4452a9395800b2ef25b88

SHA256
d5b867471fa30fd02f85082c91a7438c299e1340265e81514a33f17d6566b1b6

SHA512
c8245a3f1c9963a5879fb560d0c9a261e83ea2d768c05ee13510400682c99eeda761a2d17c8157f9dd4de51cb49d5db57b191485d5b12f9818c0ea73a95a3b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAC4D.tmp

Filesize
144KB

MD5
7fa9d662d634534d7c2240dd126bdeee

SHA1
bd01e22ed2da0d0d485824b372ac67da683863d2

SHA256
c0e8683b697b3c6e55deb4497d3434d6e2cc841eb8c9a1b7d3f8907cff7de206

SHA512
cbc737e3eb94151c9dacaa5ee780cb550176ca2be2e0c66925884b5bc6222b7bcde5ed66e881f2a76f3d26edf5331abf0e74c819ad4f5fd7d0819bc4c138bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAD0A.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Windows\Installer\MSI4B51.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
C:\Windows\Installer\e581f89.msi

Filesize
28.9MB

MD5
fa9e1f3064a66913362e9bff7097cef5

SHA1
b34f1f9a9f6242c54486a4bc453a9336840b4425

SHA256
9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

SHA512
ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
929d4ae0f646e1b142b7840d223579c4

SHA1
82119f8cba8395ba9bf7357ffcffe73d9dbd696b

SHA256
98999dfb4398636706c890f2252b25ddb3243eef362a2d71b13b6081bad75fa7

SHA512
5f0c9acade6db18718d307a3eb557ed86c8b635464e2326e099c03b89b40c9606ed4c6c7112e5e0065ab3f7fa2539d22a8106699d76bf352627f1eb1ec74166c

Download Submit
\??\Volume{7f79794c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f34882e9-70aa-4646-abf7-748f87507d6f}_OnDiskSnapshotProp

Filesize
6KB

MD5
da1b7c334cbf716a65ecc155129cdd2c

SHA1
34da0788c8d4246d5e6e1e3f0e5b58ed29236770

SHA256
b104c2214e24af4f6bc8e5d0b58be41e977180b3f5f9bf6fe108fc65bab750ae

SHA512
9661740ec9475da45b2f7e96620b9745238170fc2bd1f93f4723d58396b2f61c0cbfbd30271b84a7ea757fa63a22b8eb424678b449cb106b2e5a3df89682ed1d

Download Submit