Analysis
-
max time kernel
402s -
max time network
406s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 19:48
Static task
static1
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20240611-en
Errors
General
-
Target
SolaraBootstrapper.exe
-
Size
797KB
-
MD5
36b62ba7d1b5e149a2c297f11e0417ee
-
SHA1
ce1b828476274375e632542c4842a6b002955603
-
SHA256
8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
-
SHA512
fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94
-
SSDEEP
12288:n1mzgHpbzEu8AgpQojA1j855xU9pHIRxSNN:1mzgH385QojA1j855xSHI
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SolaraBootstrapper.exeSolaraBootstrapper.exeMicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe -
Executes dropped EXE 24 IoCs
Processes:
vc_redist.x64.exevc_redist.x64.exenode.exevc_redist.x64.exevc_redist.x64.execd57e4c171d6e8f5ea8b8f824a6a7316.exenode.exeRobloxPlayerInstaller.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_126.0.2592.56.exesetup.exesetup.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exepid process 4260 vc_redist.x64.exe 4308 vc_redist.x64.exe 4084 node.exe 4572 vc_redist.x64.exe 2040 vc_redist.x64.exe 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 5100 node.exe 824 RobloxPlayerInstaller.exe 540 MicrosoftEdgeWebview2Setup.exe 3880 MicrosoftEdgeUpdate.exe 224 MicrosoftEdgeUpdate.exe 4132 MicrosoftEdgeUpdate.exe 3304 MicrosoftEdgeUpdateComRegisterShell64.exe 376 MicrosoftEdgeUpdateComRegisterShell64.exe 2312 MicrosoftEdgeUpdateComRegisterShell64.exe 3344 MicrosoftEdgeUpdate.exe 4868 MicrosoftEdgeUpdate.exe 4876 MicrosoftEdgeUpdate.exe 208 MicrosoftEdgeUpdate.exe 4104 MicrosoftEdge_X64_126.0.2592.56.exe 2400 setup.exe 4684 setup.exe 4888 MicrosoftEdgeUpdate.exe 4732 RobloxPlayerBeta.exe -
Loads dropped DLL 35 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exevc_redist.x64.exevc_redist.x64.execd57e4c171d6e8f5ea8b8f824a6a7316.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exepid process 2848 MsiExec.exe 2848 MsiExec.exe 4736 MsiExec.exe 4736 MsiExec.exe 4736 MsiExec.exe 4736 MsiExec.exe 4736 MsiExec.exe 2676 MsiExec.exe 2676 MsiExec.exe 2676 MsiExec.exe 2848 MsiExec.exe 4308 vc_redist.x64.exe 2040 vc_redist.x64.exe 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 3880 MicrosoftEdgeUpdate.exe 224 MicrosoftEdgeUpdate.exe 4132 MicrosoftEdgeUpdate.exe 3304 MicrosoftEdgeUpdateComRegisterShell64.exe 4132 MicrosoftEdgeUpdate.exe 376 MicrosoftEdgeUpdateComRegisterShell64.exe 4132 MicrosoftEdgeUpdate.exe 2312 MicrosoftEdgeUpdateComRegisterShell64.exe 4132 MicrosoftEdgeUpdate.exe 3344 MicrosoftEdgeUpdate.exe 4868 MicrosoftEdgeUpdate.exe 4876 MicrosoftEdgeUpdate.exe 4876 MicrosoftEdgeUpdate.exe 4868 MicrosoftEdgeUpdate.exe 208 MicrosoftEdgeUpdate.exe 4888 MicrosoftEdgeUpdate.exe 4732 RobloxPlayerBeta.exe -
Registers COM server for autorun 1 TTPs 33 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll themida behavioral1/memory/3748-4056-0x0000000180000000-0x0000000180AB4000-memory.dmp themida behavioral1/memory/3748-4142-0x0000000180000000-0x0000000180AB4000-memory.dmp themida behavioral1/memory/3748-5796-0x0000000180000000-0x0000000180AB4000-memory.dmp themida -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 25 1836 msiexec.exe 27 1836 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exeRobloxPlayerInstaller.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cd57e4c171d6e8f5ea8b8f824a6a7316.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerInstaller.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 66 raw.githubusercontent.com 67 raw.githubusercontent.com 70 raw.githubusercontent.com 71 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 10 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
RobloxPlayerBeta.exepid process 4732 RobloxPlayerBeta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exeRobloxPlayerBeta.exepid process 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeRobloxPlayerInstaller.exesetup.exedescription ioc process File created C:\Program Files\nodejs\node_modules\npm\node_modules\infer-owner\package.json msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\LuaChat\icons\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\collapsibleArrowDown.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\VoiceChat\MicLight\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\VoiceChat\SpeakerDark\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-ingame-8x8.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\TerrainTools\mt_replace.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\Emotes\Large\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\LuaChat\graphic\gr-send-on.png RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\retrieve-tag.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\check-response.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\ci-info\index.d.ts msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\role.js msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\Controls\DefaultController\ButtonL2.png RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\read-cmd-shim\LICENSE msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\AvatarEditorImages\Sliders\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\scrollbar.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\particles\smoke_main.dds RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\VoiceChat\MicDark\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\Settings\Radial\BottomLeft.png RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\minimatch\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\ansi-regex\index.js msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\Emotes\Large\CircleBackground.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\LuaChat\9-slice\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\Controls\DesignSystem\DpadUp.png RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\extendStringPrototype.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\which\lib\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\cidr-regex\index.d.ts msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-config.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-install-ci-test.html msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\StudioSharedUI\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\configs\DateTimeLocaleConfigs\zh-hk.json RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\chat_teamButton.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\LuaChat\graphic\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\is-core-module\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\verify.js msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\RoduxDevtools\StateTabs\Diff.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\traildot.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\RoduxDevtools\Undo.png RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-license-ids\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\chownr\LICENSE msiexec.exe File created C:\Program Files\nodejs\npm.cmd msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\RobloxPlayerLauncher.exe RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\AnimationEditor\Close.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\Debugger\Step-Over.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\LuaChat\graphic\gr-send.png RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minimatch\package.json msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\ExtraContent\textures\ui\LuaApp\graphic\gr-avatar [email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\Debugger\Breakpoints\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\StudioSharedUI\preview_clear.png RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks-proxy-agent\dist\index.js msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\MaterialGenerator\Materials\Ice.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\Settings\Help\BButtonLight.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\Settings\Radial\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\content\textures\ui\Controls\xboxLB.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.56\Locales\fa.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.56\VisualElements\LogoDev.png setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\patch\parse.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\lib\language.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\add-listeners.js msiexec.exe -
Drops file in Windows directory 21 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\e574b22.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8238.tmp msiexec.exe File created C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon msiexec.exe File opened for modification C:\Windows\Installer\MSI89FB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5380.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} msiexec.exe File opened for modification C:\Windows\Installer\MSI82F4.tmp msiexec.exe File opened for modification C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon msiexec.exe File opened for modification C:\Windows\Installer\MSI849B.tmp msiexec.exe File created C:\Windows\Installer\e574b26.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5321.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI575A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6131.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6161.tmp msiexec.exe File created C:\Windows\Installer\e574b22.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI53A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI599D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI59CD.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
chrome.exeRobloxPlayerInstaller.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxPlayerInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxPlayerInstaller.exe -
Processes:
RobloxPlayerInstaller.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerInstaller.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
LogonUI.exeMicrosoftEdgeUpdate.exemsiexec.exeMicrosoftEdgeUpdate.exechrome.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "111" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133630411210495225" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exemsiexec.exeMicrosoftEdgeUpdate.exeRobloxPlayerInstaller.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\CLSID\ = "{E421557C-0628-43FB-BF2B-7C9F8A4D067C}" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LOCALSERVER32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachineFallback" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\ = "Google Update Policy Status Class" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ServiceParameters = "/comsvc" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF} MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "Update3COMClass" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open RobloxPlayerInstaller.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
SolaraBootstrapper.exemsiexec.exeSolaraBootstrapper.execd57e4c171d6e8f5ea8b8f824a6a7316.exechrome.exeRobloxPlayerInstaller.exechrome.exeMicrosoftEdgeUpdate.exeRobloxPlayerBeta.exepid process 4652 SolaraBootstrapper.exe 4652 SolaraBootstrapper.exe 1836 msiexec.exe 1836 msiexec.exe 3912 SolaraBootstrapper.exe 3912 SolaraBootstrapper.exe 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 3308 chrome.exe 3308 chrome.exe 824 RobloxPlayerInstaller.exe 824 RobloxPlayerInstaller.exe 4432 chrome.exe 4432 chrome.exe 3880 MicrosoftEdgeUpdate.exe 3880 MicrosoftEdgeUpdate.exe 3880 MicrosoftEdgeUpdate.exe 3880 MicrosoftEdgeUpdate.exe 3880 MicrosoftEdgeUpdate.exe 3880 MicrosoftEdgeUpdate.exe 4732 RobloxPlayerBeta.exe 4732 RobloxPlayerBeta.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
chrome.exepid process 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
SolaraBootstrapper.exemsiexec.exemsiexec.exewevtutil.exewevtutil.exedescription pid process Token: SeDebugPrivilege 4652 SolaraBootstrapper.exe Token: SeShutdownPrivilege 1740 msiexec.exe Token: SeIncreaseQuotaPrivilege 1740 msiexec.exe Token: SeSecurityPrivilege 1836 msiexec.exe Token: SeCreateTokenPrivilege 1740 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1740 msiexec.exe Token: SeLockMemoryPrivilege 1740 msiexec.exe Token: SeIncreaseQuotaPrivilege 1740 msiexec.exe Token: SeMachineAccountPrivilege 1740 msiexec.exe Token: SeTcbPrivilege 1740 msiexec.exe Token: SeSecurityPrivilege 1740 msiexec.exe Token: SeTakeOwnershipPrivilege 1740 msiexec.exe Token: SeLoadDriverPrivilege 1740 msiexec.exe Token: SeSystemProfilePrivilege 1740 msiexec.exe Token: SeSystemtimePrivilege 1740 msiexec.exe Token: SeProfSingleProcessPrivilege 1740 msiexec.exe Token: SeIncBasePriorityPrivilege 1740 msiexec.exe Token: SeCreatePagefilePrivilege 1740 msiexec.exe Token: SeCreatePermanentPrivilege 1740 msiexec.exe Token: SeBackupPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1740 msiexec.exe Token: SeShutdownPrivilege 1740 msiexec.exe Token: SeDebugPrivilege 1740 msiexec.exe Token: SeAuditPrivilege 1740 msiexec.exe Token: SeSystemEnvironmentPrivilege 1740 msiexec.exe Token: SeChangeNotifyPrivilege 1740 msiexec.exe Token: SeRemoteShutdownPrivilege 1740 msiexec.exe Token: SeUndockPrivilege 1740 msiexec.exe Token: SeSyncAgentPrivilege 1740 msiexec.exe Token: SeEnableDelegationPrivilege 1740 msiexec.exe Token: SeManageVolumePrivilege 1740 msiexec.exe Token: SeImpersonatePrivilege 1740 msiexec.exe Token: SeCreateGlobalPrivilege 1740 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeSecurityPrivilege 4552 wevtutil.exe Token: SeBackupPrivilege 4552 wevtutil.exe Token: SeSecurityPrivilege 3948 wevtutil.exe Token: SeBackupPrivilege 3948 wevtutil.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe Token: SeTakeOwnershipPrivilege 1836 msiexec.exe Token: SeRestorePrivilege 1836 msiexec.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
cd57e4c171d6e8f5ea8b8f824a6a7316.exechrome.exepid process 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe 3308 chrome.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
node.exevc_redist.x64.exevc_redist.x64.exenode.exeLogonUI.exepid process 4084 node.exe 4572 vc_redist.x64.exe 2040 vc_redist.x64.exe 5100 node.exe 3844 LogonUI.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
RobloxPlayerBeta.exepid process 4732 RobloxPlayerBeta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SolaraBootstrapper.exemsiexec.exeMsiExec.exewevtutil.exevc_redist.x64.exeSolaraBootstrapper.exevc_redist.x64.execd57e4c171d6e8f5ea8b8f824a6a7316.exechrome.exedescription pid process target process PID 4652 wrote to memory of 1740 4652 SolaraBootstrapper.exe msiexec.exe PID 4652 wrote to memory of 1740 4652 SolaraBootstrapper.exe msiexec.exe PID 4652 wrote to memory of 1740 4652 SolaraBootstrapper.exe msiexec.exe PID 1836 wrote to memory of 2848 1836 msiexec.exe MsiExec.exe PID 1836 wrote to memory of 2848 1836 msiexec.exe MsiExec.exe PID 1836 wrote to memory of 4736 1836 msiexec.exe MsiExec.exe PID 1836 wrote to memory of 4736 1836 msiexec.exe MsiExec.exe PID 1836 wrote to memory of 4736 1836 msiexec.exe MsiExec.exe PID 1836 wrote to memory of 2676 1836 msiexec.exe MsiExec.exe PID 1836 wrote to memory of 2676 1836 msiexec.exe MsiExec.exe PID 1836 wrote to memory of 2676 1836 msiexec.exe MsiExec.exe PID 2676 wrote to memory of 4552 2676 MsiExec.exe wevtutil.exe PID 2676 wrote to memory of 4552 2676 MsiExec.exe wevtutil.exe PID 2676 wrote to memory of 4552 2676 MsiExec.exe wevtutil.exe PID 4552 wrote to memory of 3948 4552 wevtutil.exe wevtutil.exe PID 4552 wrote to memory of 3948 4552 wevtutil.exe wevtutil.exe PID 4652 wrote to memory of 4260 4652 SolaraBootstrapper.exe vc_redist.x64.exe PID 4652 wrote to memory of 4260 4652 SolaraBootstrapper.exe vc_redist.x64.exe PID 4652 wrote to memory of 4260 4652 SolaraBootstrapper.exe vc_redist.x64.exe PID 4260 wrote to memory of 4308 4260 vc_redist.x64.exe vc_redist.x64.exe PID 4260 wrote to memory of 4308 4260 vc_redist.x64.exe vc_redist.x64.exe PID 4260 wrote to memory of 4308 4260 vc_redist.x64.exe vc_redist.x64.exe PID 3912 wrote to memory of 4084 3912 SolaraBootstrapper.exe node.exe PID 3912 wrote to memory of 4084 3912 SolaraBootstrapper.exe node.exe PID 3912 wrote to memory of 4572 3912 SolaraBootstrapper.exe vc_redist.x64.exe PID 3912 wrote to memory of 4572 3912 SolaraBootstrapper.exe vc_redist.x64.exe PID 3912 wrote to memory of 4572 3912 SolaraBootstrapper.exe vc_redist.x64.exe PID 4572 wrote to memory of 2040 4572 vc_redist.x64.exe vc_redist.x64.exe PID 4572 wrote to memory of 2040 4572 vc_redist.x64.exe vc_redist.x64.exe PID 4572 wrote to memory of 2040 4572 vc_redist.x64.exe vc_redist.x64.exe PID 3912 wrote to memory of 3748 3912 SolaraBootstrapper.exe cd57e4c171d6e8f5ea8b8f824a6a7316.exe PID 3912 wrote to memory of 3748 3912 SolaraBootstrapper.exe cd57e4c171d6e8f5ea8b8f824a6a7316.exe PID 3748 wrote to memory of 5100 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe node.exe PID 3748 wrote to memory of 5100 3748 cd57e4c171d6e8f5ea8b8f824a6a7316.exe node.exe PID 3308 wrote to memory of 3584 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 3584 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe PID 3308 wrote to memory of 768 3308 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\msiexec.exe"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe"C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" /install /quiet /norestart2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\Temp\{BFA16139-D87F-45E8-BE1D-997B16CE94B7}\.cr\vc_redist.x64.exe"C:\Windows\Temp\{BFA16139-D87F-45E8-BE1D-997B16CE94B7}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=532 /install /quiet /norestart3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4308
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding D460408B769F501CA4E2BD2BDB3CC9032⤵
- Loads dropped DLL
PID:2848 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F7C16E8937A9CA3A9DFAA214CB791CC22⤵
- Loads dropped DLL
PID:4736 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 040C5A7C872BE94ED060B3D173AD4AE2 E Global\MSI00002⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\wevtutil.exe"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\System32\wevtutil.exe"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow644⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Program Files\nodejs\node.exe"node" -v2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe"C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" /install /quiet /norestart2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\Temp\{A08C5EAA-BD69-42C9-A04E-73AB88CEAE42}\.cr\vc_redist.x64.exe"C:\Windows\Temp\{A08C5EAA-BD69-42C9-A04E-73AB88CEAE42}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576 /install /quiet /norestart3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Program Files\nodejs\node.exenode "C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\index.js"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5100
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\TMUACBLB-20240611-1849a.log1⤵PID:1332
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff943e9ab58,0x7ff943e9ab68,0x7ff943e9ab782⤵PID:3584
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:22⤵PID:768
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:4668
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:4392
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:1900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:4804
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3648 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:1940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:2020
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:4044
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4660 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:2700
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:3908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:228
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3184 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4812 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:5064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:4080
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:2280
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2280 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:1128
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5116 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:1380
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1708 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:2592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:3432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5680 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:3672
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5784 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:3492
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5408 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:3940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3288 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:4200
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5344 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:868
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4916 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:2372
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:2188
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:764
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:2996
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3168 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:1740
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4908 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:3008
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5080 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:1376
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5456 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:2232
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:82⤵PID:1252
-
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:824 -
C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeWebview2Setup.exe /silent /install3⤵
- Executes dropped EXE
PID:540 -
C:\Program Files (x86)\Microsoft\Temp\EUAD44.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUAD44.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
PID:3880 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:224 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4132 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3304 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:376 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2312 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0JFREYzNDAtRjYwMy00RDdFLTk5QzEtQzAyM0MyNDE2NzlBfSIgdXNlcmlkPSJ7M0MzREYwNEQtMEQ4Qy00NzFELTk3MTItQ0Q5Mzk4QjA4Q0Y2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGRjFGRUZFMS1DMEQxLTQ5REEtOTAyOS1FQjgyRDgzQjYyREV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc0NTQxODI1NjQiIGluc3RhbGxfdGltZV9tcz0iNTQ1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:3344 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{3BEDF340-F603-4D7E-99C1-C023C241679A}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4868 -
C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-2cca5ed32b534b2a\RobloxPlayerBeta.exe" -app -isInstallerLaunch3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:4732 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6132 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=1908 --field-trial-handle=1960,i,17109802722346559735,5267733745909850785,131072 /prefetch:12⤵PID:3648
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4840
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:4876 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0JFREYzNDAtRjYwMy00RDdFLTk5QzEtQzAyM0MyNDE2NzlBfSIgdXNlcmlkPSJ7M0MzREYwNEQtMEQ4Qy00NzFELTk3MTItQ0Q5Mzk4QjA4Q0Y2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDREUxNzdCNS0xMzk5LTQ3RkQtODhGMy0zOEQ4MDUwQkEwOTd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTEwLjAuNTQ4MS4xMDQiIG5leHR2ZXJzaW9uPSIxMTAuMC41NDgxLjEwNCIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc0NTc5ODI2NzQiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:208 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A17ECB7-457B-4802-B6A1-A8DAE1D1475D}\MicrosoftEdge_X64_126.0.2592.56.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A17ECB7-457B-4802-B6A1-A8DAE1D1475D}\MicrosoftEdge_X64_126.0.2592.56.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:4104 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A17ECB7-457B-4802-B6A1-A8DAE1D1475D}\EDGEMITMP_46026.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A17ECB7-457B-4802-B6A1-A8DAE1D1475D}\EDGEMITMP_46026.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A17ECB7-457B-4802-B6A1-A8DAE1D1475D}\MicrosoftEdge_X64_126.0.2592.56.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2400 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A17ECB7-457B-4802-B6A1-A8DAE1D1475D}\EDGEMITMP_46026.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A17ECB7-457B-4802-B6A1-A8DAE1D1475D}\EDGEMITMP_46026.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.57 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A17ECB7-457B-4802-B6A1-A8DAE1D1475D}\EDGEMITMP_46026.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.56 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff79109aa40,0x7ff79109aa4c,0x7ff79109aa584⤵
- Executes dropped EXE
PID:4684 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0JFREYzNDAtRjYwMy00RDdFLTk5QzEtQzAyM0MyNDE2NzlBfSIgdXNlcmlkPSJ7M0MzREYwNEQtMEQ4Qy00NzFELTk3MTItQ0Q5Mzk4QjA4Q0Y2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins1RTcxQzRGNi1EQzg5LTRFNkYtQTRFQi0yOURGNjk2OTUyQzB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI2LjAuMjU5Mi41NiIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzQ3MDA5MjU4OSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc0NzAxMzI4MzIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NzI1NzUyNTI3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy82OGFkZTM1OS01NDY3LTRlZWUtODE3Ny1jNmNhMDA4NTUyNWQ_UDE9MTcxOTE3MjQ0NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1iZGl6aUNRZWp2eWwyalV3c3hTSmJaMklOYWtVRTlsUjJlWExFNEliaFdBazY5VU1aMlMwZUQ3YWdzY1FaeGxvR0NDbDhJalZ2ZHRLalVMNDFjSkxFQSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3MzAxODY4MCIgdG90YWw9IjE3MzAxODY4MCIgZG93bmxvYWRfdGltZV9tcz0iMTg0MzkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NzI2MDYyNTY0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzc0MTY5MjQ1NiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iODE5NTc0MjY2MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjcwOSIgZG93bmxvYWRfdGltZV9tcz0iMjU1ODMiIGRvd25sb2FkZWQ9IjE3MzAxODY4MCIgdG90YWw9IjE3MzAxODY4MCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNDUzOTMiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:4888
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3918855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD584c05f45a40b06836f7bc83bad7bfbc6
SHA12a6b9850cf187d039484d9483185f2dbe422ce14
SHA256344f3942c42c6c6245742c96f384197d526620394ecadbb50a414bc837237278
SHA512bf781e49c3734826856ac5af42c21e51e70fe6305b123dd2addc271c4f4f78a28b389662913e27bc2c28bd663be7ad516f6f6dc977bbb3adc3c43366e44e133f
-
Filesize
6.5MB
MD52db3410f16bfb551b063112f170cfe92
SHA14ac32b5efaed17e0aab5146774e0a90dd912b0ff
SHA25634a13e267b18b462cfb5c2b13c822d2b7d06b631f0e3257585382a10ef379c72
SHA512e499fd5fca2c9dfca23b11a651a647678d814f7e64cfafd8ce0e3a88621655f7d75eca8fdaa6d1fd248f6549f544ea91411bb7544420a662891fc2cb231bf23a
-
Filesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
Filesize
5.4MB
MD5f899ed8284f9df71e4dd43b152dd60e9
SHA1715796f8e8c83699dc2672f5acee91dce08715cf
SHA2568d886a250762d21047a8a579251909225f5adab2e372a7f03e2c1c8c3d294152
SHA51249b6ec6cc9b7256a19ec18ae5045fb01118b5ae1b2aa5b6e4d9b66daca8b7b3dcbfdde84c20a416378ece260fbb06addaed2c3d6af7eaff4958934fbb81dd796
-
Filesize
280B
MD541069e54851ee49882eda179402ad9fc
SHA10507f2afcd8eaf7cbc96cd55c1ee7963f50acd19
SHA2563e5bc0678c1e69dc061bb8ed88023506d7ed1964d2d03d063677904a30fac5e6
SHA5124c16570f57e7b740619bbf321443fc772a58e5ee3f67d6d0ca420d52ea79592934ab7f94442940970dc2f75838bf434373161b3597e3181721fe0cbb359d5135
-
Filesize
10KB
MD51d51e18a7247f47245b0751f16119498
SHA178f5d95dd07c0fcee43c6d4feab12d802d194d95
SHA2561975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f
SHA5121eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76
-
Filesize
8KB
MD5d3bc164e23e694c644e0b1ce3e3f9910
SHA11849f8b1326111b5d4d93febc2bafb3856e601bb
SHA2561185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4
SHA51291ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854
-
Filesize
818B
MD52916d8b51a5cc0a350d64389bc07aef6
SHA1c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74
-
Filesize
1KB
MD55ad87d95c13094fa67f25442ff521efd
SHA101f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA25667292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA5127187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3
-
Filesize
754B
MD5d2cf52aa43e18fdc87562d4c1303f46a
SHA158fb4a65fffb438630351e7cafd322579817e5e1
SHA25645e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA51254e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16
-
Filesize
771B
MD5e9dc66f98e5f7ff720bf603fff36ebc5
SHA1f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b
SHA256b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79
SHA5128027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b
-
Filesize
730B
MD5072ac9ab0c4667f8f876becedfe10ee0
SHA10227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA2562ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json
Filesize1KB
MD5d116a360376e31950428ed26eae9ffd4
SHA1192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA5125221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a
-
Filesize
802B
MD5d7c8fab641cd22d2cd30d2999cc77040
SHA1d293601583b1454ad5415260e4378217d569538e
SHA25604400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764
-
Filesize
16KB
MD5bc0c0eeede037aa152345ab1f9774e92
SHA156e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA2567a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA5125f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3
-
Filesize
780B
MD5b020de8f88eacc104c21d6e6cacc636d
SHA120b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA2563f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA5124220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38
-
Filesize
763B
MD57428aa9f83c500c4a434f8848ee23851
SHA1166b3e1c1b7d7cb7b070108876492529f546219f
SHA2561fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce
-
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts
Filesize4KB
MD5f0bd53316e08991d94586331f9c11d97
SHA1f5a7a6dc0da46c3e077764cfb3e928c4a75d383e
SHA256dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef
SHA512fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839
-
Filesize
771B
MD51d7c74bcd1904d125f6aff37749dc069
SHA121e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab
SHA25624b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9
SHA512b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778
-
Filesize
63KB
MD56e97c334f0b540c8ef7df5de8df548b8
SHA14263c7688f0f59ef14cefc8987234da0eb30acc6
SHA2563f8067249169a225ecbcfd341ac47a78f51eacce3b78419b1b8281a2ccab2457
SHA51213c14828730cf914e5fb6e2e9d5a81081040acd66de4c192c0987b696b269a1b85520287c52f95bb141231bb3e9f489ff7a1920550eebf510d3665f64b01a34f
-
Filesize
168B
MD5db7dbbc86e432573e54dedbcc02cb4a1
SHA1cff9cfb98cff2d86b35dc680b405e8036bbbda47
SHA2567cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9
SHA5128f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec
-
Filesize
133B
MD535b86e177ab52108bd9fed7425a9e34a
SHA176a1f47a10e3ab829f676838147875d75022c70c
SHA256afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319
SHA5123c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62
-
Filesize
121KB
MD58ef55859ae329cfe96bf819cabb9b05d
SHA1d506ddae246b967ee4287f3a55a1f75cc3f59830
SHA256a38119ce927f5dd9c7c8be6492db32b3c92b0ff2197d55346184485de59e4e83
SHA5129333cfd26097ba84d0b7d0387928d0437bfd45017547270e85be0c1d2a5b42c11de23f3890e22b45cdcd3548ced0cb3bf7810d74121531515a5c8d0c6a897a78
-
Filesize
51KB
MD5588ee33c26fe83cb97ca65e3c66b2e87
SHA1842429b803132c3e7827af42fe4dc7a66e736b37
SHA256bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760
SHA5126f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04
-
Filesize
5KB
MD51c555a0c852bc4bb1c41c22e895c223e
SHA1106118e9f6d82a0388ba68244bb4c7264c666e1d
SHA2564269351aa114ac616c4785e7116e4bfb65872dedb306489928dd90a39a5763e9
SHA51236ddb9a47b4a8d526d05315ccbb07cef3af0e51e5c1aabb480de3bea22733d786677cd532a09020edbb88470bec0bcbf5b3975ae6ddf96b2a516ff551eb58cd5
-
Filesize
2KB
MD5bfda7c0348efe1bd7d44ae5cda29402d
SHA14769ec48a9e712ba6c23c8fb6bcc065c70ab8aaf
SHA256eae8f513755a0c23be598d920b51090dea8c157c9dbdb3cf149cc5f9d90c44db
SHA5121c8f1ac3c598ebf92b2fa91d8253047bd84e1aae296b927b712cef6734fb78367bb249de4fa910db3fe4971cb1c79a94c92d576fd473b12beee0fd170ff44d0f
-
Filesize
4KB
MD5b2a4e2a95bd12b7c828cc6a50488bc8a
SHA1e7e3b1cf6fda0921f6c7828d088ed7770224b0c0
SHA256ef83181657837d33bdb764e5643885a037997d1f341dc2780c153461247698dd
SHA51245a5aaf21bbd1b64d8a28e1c412b9b095480914f63769b6e7dea71b0749dbc0acb4cb13506a88fdc0ae092144ffae822c7bcf55adf83b989d9565d918f0970ad
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
9KB
MD581fa51c5757791eab8da6be9ef9d26d7
SHA15dfba3626e18def747ff7dc6321a77452f08bf07
SHA256594126bbbd5664a088cdbec7fa194e3a2aaa0e8aa80a5fd24c40bac2ab5be8c6
SHA5121b1c29c02f18256a032095a067a1d6906cbae0612c4c5bfb143b11041fe83a0787e8a7bf72aef0635ef1ea593a4e03209a23e197a9672c93dc9c7a5ee2a35717
-
Filesize
7KB
MD57eed113db4d0f9bb9a6886e93ea7a98a
SHA1f685cffec04838b21ed78cc2c161a76873bb5843
SHA256243e60605820acb5063c93ad8a6b2643a53874a3d544c6917346eb158699cba9
SHA51231f97bd3ef9fdf74e84b8b097aec770cfda5e40fd56b957133ec1f0042f82a657b385b4ca11373691a889ede75bdeee85b5d03c24aded09ea66079565e8d4fc2
-
Filesize
9KB
MD50a5e0b8b269ad216467087a951f4a4ff
SHA17d521f0e1ebd5d35b67c78c8fb24a1676c7e6012
SHA2568e3abe286be2548721418a9a36b212e12f6b76a39e793a2d93d5781a033983f8
SHA51224604eb1d600439d7ec6f5ba3c05d99c5ed1fb4f5f4f970141256fea9329e5ab583965dba20a337357c976b397f4c504c78b6c05ee4cef4de42a7de92505ddf2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5b903467d30deb95fb40986242277eb5d
SHA15d535c017fce9f0d620dc034f292a347c29e8bfe
SHA25631829cab5488804abe24c25ea098af188493ea81615483fd99d09dffa2b6eb44
SHA512b13ec44a2f7c10cfab2afebd12920a96ae89e528408785bf8e0d50689ef7040203f076c28289dc2fa065a52437b95b42400654166475ce577cea7729d0cea724
-
Filesize
1KB
MD5997a75631f0fb0e5567fe5d9b4a7f282
SHA15018e20c8f2a408e2620c071053d5f69b41e4074
SHA256e2e5beff7765febe7b27acac78dc5ec31a8268ea175a8b1fcc8dfa0c712447fc
SHA512d3a3eef04fc4fb1b71ba34380eec7cdfaa0572a40d128ad203118abbc7c67ffad943a05a85cec2d303bb523a3c5984c298bfc876cd676a35fdda020957942b8d
-
Filesize
4KB
MD5dbad5d3787600f379b716f76f53cbb74
SHA197c3713bbe040e72b0b6b772f32630e588db00f1
SHA256110b70c57af5ceb2f76323eaff6979f740941911e255e61d63f012df2db3904b
SHA512f63a59c381fd44fce9a05e44a104809b7bb0be3ba04f2703b7d45a08c7a9682ce2e90372ea6665e66c5962c24710dd0038ff88f3fc323009ab525578e8066147
-
Filesize
1KB
MD5e0a94ed075aa507d5c55ec08595b6c99
SHA1430d877e9b7c6761792ab2d5448d041fe80afc4f
SHA256613009bc408bf87a3a00fb47f1da7834a8ed8e4e65e7e5f49487adaeb6a2ef74
SHA51258b01a5c285f0b47af884177ecb716c4762a7d5866bec33b13cd82f2e09ecefd80de45943e761da8aadf83eabaefadb35f20c50997805241d30abb01e78a755f
-
Filesize
3KB
MD5b082e46351786806b2fa741c0de1f4e0
SHA16320b8fcdfde466cbf1ad4d9dd087d53ab636fa7
SHA256d46b40e3c0d578de97dd1522431ed1cb478ef84f17317575b9b3e2d25d5df1d4
SHA5128a255fc8af5fb20bd846f654cc82d312ec454c3d982c2fbd857028b8f3bbdfb90f79a4f7368382b35723f7c74d58defe571aa2edff8c95ee346d0f48c42aad0f
-
Filesize
4KB
MD57a8285f9d65df1f81b205dd7b27638e7
SHA10caa91c4663a07b6d6c7534e84bdd24012e5bf6b
SHA2566527b3b08b4be66d447ef91e7a05e8e5111c92ac516bbcff83516c827da5552a
SHA512bacb40f7cee273a155a504a20268c7d9286f9e07043f43f0a0dfa6084f7aa259f500f99d60b5792bd2854f1bad71b1ae337437eb1de47ebea37ccc46e1d7b83c
-
Filesize
4KB
MD5de59543e9fe2e898cf74d4b76621b33c
SHA1182bab1ccb52412badaef3e0d9cb60da0f18c6b3
SHA25633a385a96dc14ac45260b3892ae59c8ea3a921065aadda6c2feb17ffa6794bae
SHA5123a00b92ccdc7d1f7b85bccccc90481505e52e1e84c5c7d4efdd9f8930f19c2e4b182d43fa40c30743b40d0910316f3fde1146bf857e10b3b81e9f2286adcc7f7
-
Filesize
4KB
MD57ec4f6633009c7abaf40a0418d5b9928
SHA1d4574e5e92557606c151ef59de7dac3cac87cb8a
SHA25645e017f995ded40339eb63a4f9dd47d6c87a67efe19d7f8eec433c150c71f78e
SHA512330a8fefa58512368d12d72e5f5c50f534a3889dde450e26cee1adfd10c938c16c10654edc5b632ba0f9b19553d9cefaa3a1a1d26f7a6eff43f8a04af77cc7c9
-
Filesize
4KB
MD5bac2de4ce091245195f6d523e2cf87ae
SHA1eb2122fcb38ed6f8fd15db68399f16116ecba671
SHA2560bc6fada1506593d2085df3f444ac5e3f5b015b0da51e4b760894e02b7d04d20
SHA512612eca23eddb9a3b27609c476febb8ccb0b9995061f4575e59d272a84c8b6fd3b26e51e83643f9e38bd8c4cb2bf83a95fd92a165f6b218aac1c3140541cce333
-
Filesize
4KB
MD5d77e185bdb492df0b2c2ce870cd76e9e
SHA1f60bc3c9b5955d44c5a9ff6787ce2da368e15898
SHA2562b8ccb593fbce60dbd59e4230c6ffa91aa861483dc5def45761f979de3d558a2
SHA5127752b3edb9c8738242fd7e743d7c7b6cde45b21d9e729816d69792473ad7e6bc31f51181c884e51094b22493151a57fbdf4e36fc21c4a4af867071daa3d0f07c
-
Filesize
1KB
MD5cd428364f45ee65f3ca2de29689d7386
SHA1298ab17b63db2960cac700d5adab8908914fb409
SHA2562a275ccd97f7644572ca73e03371d9070458cbb79e32b386a1ef079734132ea8
SHA512726c8063bb6c39750aed5dbaa7a17571cffeb1fa142d1b3efb9f602fac820c67803eb60c57d4e33cea474d7208bc15a60c8924f2919899d6a76df6af597479bd
-
Filesize
4KB
MD516cb2a0b3d2728e3aa2062191dc85252
SHA17d1c7f559dbffd6132c9bb3f04f2be004802a5d7
SHA2567d2c09fc2077c855e81565a08614f1715a8c70f1c302c0a8fbe1bdce7b78ce18
SHA512047829ab921b7e506871ccd372e6a30af4d08e9223ef1da421a0b4cbe6067ddc2bc596b0cdaf79e8f45f1a44361f9518ab2fc049ebb8831bdcb5b9d9f619bcf3
-
Filesize
4KB
MD590072d87495f65e8893190c3f7259a43
SHA1fa453bedda87154b1733754c349747deba7e3e4c
SHA256cbd34ab10ec97d963ab850dff70fdff0c6cd0d5a347c761980d955be6ab17398
SHA51247d2572fb5a86dbd915f325c8aef7a534a9f5f461c82404f27c5d36a3fa1ec2915c22af45f3bfa95a084606301962a2205b9e6773716ea27d2f2510ebb77d48f
-
Filesize
4KB
MD5fd70342fe29de37021217d210ffbd25d
SHA1ffd8e140a23dce029864235dc226794084859ae7
SHA2563a51585feac59794fb293419cfc3b353530a6460b775559556a4724a8e34c29c
SHA5122d708bcb6cb433f2255f8ab6639bffc02077468e56faf68648cc1cb9d80d881ff966616b88fdcb10ae6fce14d00678ce1f3f82287035e333fac2ce397db61041
-
Filesize
4KB
MD5e9e6a066d22bdc6d2795fc0701d61e21
SHA132194bd187bbdd4316c45386f20d967057e62909
SHA256ab5f499b83c3f3b88a30f8aebeec84bcf4e6cf1a2740f2a0ed9b73ca3474d9ae
SHA51250ecb019ac46dbcccad46fe13b975ab4e827070fca9ea98f6a1e85c9162e776a791ed06e8b3219a5fee4f59edf3ccc576c573ca1a7aa56b36799ad11f13034d4
-
Filesize
4KB
MD5472e6b49ca5ac0e17113c0799abc1b3d
SHA143af3d554bc07de4581f5427c2e40e9e6b4efa60
SHA25661a222ea6976148288cc80b109d08bb7e4f2f41b894ec95da6067c123d8c84e4
SHA51202e6dbc3977842bbb221e2750585452c28a8854bcdacc224e1f7b9820cea6cbe66d3b2e1efaedd59158cb16cb8e6f8f58d08c3bf35a4e8c8c60683b7df46e9f8
-
Filesize
4KB
MD53e618ddd0191bb1ae1a572b1d62d6956
SHA1ae829b48e1179d2ba8c39aa74d0d1a491f5f44a8
SHA25613485e728926406ea142ec8f0da1c413aa6043256a6235646394899d7c76f38e
SHA512c6339bdf0effce9f8b2d94ee4ee8ad4fb7295bae350e13d7c8f661d4d5905f121db64c24b51aa64744810c9fbc6ebcc506d0ca1d3048e1bef15d7f6af5d16dec
-
Filesize
4KB
MD56b17a87a3cd19a42b2a4b1bfa3e690aa
SHA1abc3dbce2f86568e20c60c365499f6f711bdc14a
SHA2568cea55f49f9729934066b5369afd5ef97188529c30f89d65901f2367a48520ca
SHA5123bc6c495907503693a07294f09f9fb212ee469886487f606c8870b42dadec3052ec5d891514c3ad05ec702e96d4cea7dd052ad962a115d3df210e7a82ea38e98
-
Filesize
4KB
MD5f569da88b16bb05c2545cf1470071e24
SHA10c69e6f5d7235d3a9e7411295c102bc27c1ce37d
SHA2567148a065950a4731bd0a89292e9ac1e7305336c11631285b98e4edec11cbbd27
SHA512db1df3842f09b2a30a59916ab7a0148ed7b90bfbd1f3f646f3d7f54b3c55d9f7b2209be9266a1c2192052001d931eddbcdb088d791b8e51f5fc117f4871b5d6a
-
Filesize
3KB
MD56edc17dc5eba39bf41939cac7e62de56
SHA11044d74e1f096ac120be3359ecd8f8560e553eeb
SHA25618dfea2df26cb9d088c1da5096146a520c04bdc3335d12f5a728109365321d3f
SHA512aadc0e48c7a06d60b5032124cb4179e6f8b61136a4ab32e147720902328a1ec7415b707d8d7dca67c04d17df8f2f3f08eb35d54dca3f0bfcadaf8a27bcfb3bdf
-
Filesize
7KB
MD508c17b419a8ce35d4e6923656a36b4b8
SHA1d03272975eed7b0c9b7a9983e3ff2938433a7168
SHA256fdeebc02ff1f6382f9ce7825dcf05e3b8c29983990c81e2342c42c3295b295e2
SHA5121809cb855c399d06632b0e04e2597f588064ac32d20f2430db96b9976c4c02a4057de3f370606d22a86efbc581721c066d58265077c1040afe3aa8a116a3ca3b
-
Filesize
7KB
MD5d515f5977cf3a681b42a48f0eb29fde2
SHA1dcde8dab7d234a3d833f5c5b97a0d896668b153e
SHA256a6e4c7c03a66262bd1f8e57cbb7d557fc210633b8832c4d99beea7e1e61e120e
SHA512f653457eaa253599b72b94c3fd94c7a95bbe30676b43029d562a7e295cb032ed7296f3bf300b375f5a14cbf3a1522f7a0d3d80a7715669ed3e1fe46546b68455
-
Filesize
16KB
MD57aff14904c4a7a53d6054ab096ec52cb
SHA15a06dca6aa4912e93afd8a907de07833bdc85231
SHA2560f055eb63d5ff091deeeccca09c183fe22941ebb8eed5c037b76aa2f4b0bbe3d
SHA512c99203d7305196447ec449e82cae0821c3858fd4dfe1d3a54c152d064fa9596437a2b9edd06dca6a84cf171b959a0af2b1e7aceb1dba3a422246c3730caab7aa
-
Filesize
276KB
MD58f038f83d2a180a5b1f690e7fc8d240d
SHA1a2474bc55d79b946445771445501b24a0a3f8ebb
SHA256a9904dbb4ece96d5a54e05898252f6a3271e01fa7d592897fb33b47443ec6cb1
SHA5124627219780fbb16306047bb2f39375ef7ae18cf2bdd25fb319a277542e4359b0bc19ec5bd6d5f65703d874c16bc467ee290d5d36c96dcb8c3b328c20bda043f7
-
Filesize
276KB
MD534268335e0e90ac4c3e9376487e77562
SHA12680dde2848b37a4ac17705f6bcbbfd6e34dfea7
SHA256b2e370036d9fd99df5457ed1f341cb6130230c44db3fca50b3347c36a41a0c2b
SHA512df23fc9ecebae23b81fe37eed94e16a1f06dcb1eb512ba9f9e97c43226aa45b757e73f646657d75713b7556a796988ef7b5dfaedb32f64bae1e686e154b80680
-
Filesize
93KB
MD5c9cc33876e573107bd280e23ca4a0610
SHA18f468a73f8806cb3ca56f111d20957bfc23956ff
SHA25652db954d7e51ed5b7583ed079cf9fed60259165be63e9d9891972ebe48f95b53
SHA512b7e7d3d2ec76621a5973e7048589ab98e2f333e5dccf49ce48215b9cb060a4af21f1a62355bea8a5a607d6d11ac27885125dc4acee96d7c4807a480ec2068933
-
Filesize
104KB
MD53f51cd9c7b0cae4d577cae131a007602
SHA1f12cc5a21725b9fd4622122782d5cd4d3c17f70d
SHA256c2c720a7b41e0ad1530b620313d7d6050732532366d816202e3018fad930606e
SHA5129f00202bbf88d5d9bcc6fd49ec4e64c27a73dc560f6db147f97b4a86ed30ece856afe8862a1bfb5a6c3af7dfd2ba69ce8597e15b1a0a0edd7920ea59c440607c
-
Filesize
98KB
MD5fd6a014492c1b9fb1c4532f8aa15dab4
SHA10563625631ca2c465279ce6e8030f5534c8b0d46
SHA256e9d31fa88818a5ddaf1c19ef6bbdce8513fe39d49a4d005a381b0fdc09fef1cd
SHA5126a1f29945265f575378e755fbf0b7fd0315552c4af4976485a4f25421e5fb5f87b6bad31d40dfe2e4412dd62a463fe265f1263f810a29b4e3196affe55a10e28
-
Filesize
91KB
MD58bb5f23b955e754d9d889deb281788b6
SHA13a610662fb57f84bea86153173071aa651cf63ad
SHA25607cdeab8faeff69b5253bde230a2547bb707757e27a7502ff633ed9b6c01a5c4
SHA512d4899cb97a8915bd7bea5589b177edd5a169f524b402a1b7bb88ac4e6d19c99a50ea8b886bea4118607fe8e71b6c90771a75f528eeb1edae22c5f58b1de981e0
-
Filesize
88KB
MD5a18bd8dff83327d5e86ac1d3732b328f
SHA14ad694f3c5f240fb758ec25148e46984d2373aab
SHA2562920931230801899486bdc35dc8b908247cf4322ac79cceb2de1b884685a9cdf
SHA5122c1488a5e904a63f111ed5117888d29dad9b3522349638ed427b4e455302c436e5c3abe137d3e3689db7a9f286209c44d3e3ee59a7f5761ee71fa80880635146
-
Filesize
1KB
MD577912af7338afe8496e3864aebf913c2
SHA1505fa5e1d7224d2d5acd5cf0decc6cabd5d48499
SHA256eefdfa12506eda16e36dc9d64adf39fa4ca6c99a9429255bb5e09847c2c0f716
SHA512c78e2ef44e55d07de2a71bff2eff4b4e8baae9f092ea84f9642b75b4e63415301a17ab52bf07a970e706570ac09672c97233f1e38d99481ce6e421d3b833e50d
-
Filesize
5.8MB
MD5e602387055ae7b12c23fbeefeb417682
SHA14efa866cca9693eafb65a6babfebd64bf99037da
SHA2568df68686863894e7f47069b854d07d6eb449269f527c09433495efb130f33dde
SHA51287ee31aaf7929c3ef6ddad322727185efe0702f239d81eeda85ff0bc5c873316a660129aecc3bde5809de1449efd5de0f458db27610d126a69dddf35d38c27f3
-
Filesize
488KB
MD5851fee9a41856b588847cf8272645f58
SHA1ee185a1ff257c86eb19d30a191bf0695d5ac72a1
SHA2565e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca
SHA512cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f
-
Filesize
37KB
MD54cf94ffa50fd9bdc0bb93cceaede0629
SHA13e30eca720f4c2a708ec53fd7f1ba9e778b4f95f
SHA25650b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6
SHA512dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98
-
Filesize
43KB
MD534ec990ed346ec6a4f14841b12280c20
SHA16587164274a1ae7f47bdb9d71d066b83241576f0
SHA2561e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409
SHA512b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0
-
Filesize
4KB
MD536076c2f9ed15bf717b1c25ac393cd1f
SHA133fdfa81edda4e15e508de82b961cf7a7a61ec09
SHA2564d5fec3e097af1243af2c83a8e30345177f32742c730d88ef9b12999c0cf66d0
SHA5122805ef0815ba159bd1f6c8e5c93281ba1c3f10ead8b3f274f6bf165fae87b628ab40079d78c6c4cd103bcee5d177ce7b24da39e1b9775d5f62e2bf10e38e1f04
-
Filesize
2KB
MD5b9e991c0e57c4d5adde68a2f4f063bc7
SHA10cb6b9eb7b310c37e5950bbcaf672943657c94b5
SHA2569c6c900e7e85fb599c62d9b9e4dfd2ea2f61d119dce5ed69ac3a8da828819241
SHA5123bbd31eed55c32435b01fe7356d39749e95f8f49222115ada841e751ad36227e6f427efdc4e8bad36d8ccd37c2e92c01fa67c24c23f52023df8c1e1be1a3b4f6
-
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\body-parser\package.json
Filesize1KB
MD5826bd4315438573ba1a6d88ae2a2aa65
SHA13e27986a947e7d10488739c9afb75f96b646c4c5
SHA2560fd31ad69fdcf1e2a94530f9db9c93e96709b690393a14711643123f678ee956
SHA5122e98ba8e57cb0950e45d20365d16e86ad94a60cfd4cf103b7d55dae02de677985d37c0f771e16ae0a628cb3b59adce8a9e1742cffc298f18cb7d935d72536e6d
-
Filesize
1KB
MD57f0a9d228c79f0ee4b89fc6117f1c687
SHA13c10082c1464a6f589aa10cda88285e780ebf857
SHA2565a3659bcc2e47b25ebf9f23f38eb9452a58920bfe4b59410bfa6fe84639a3b99
SHA5127bdd7259bcb8d79aa41777f03d3a3f8a29b60c2d25104072edba9febeb813e12ef78d31573637702decddbaa97d8fec263bc413bd27dd660ded17d644458cbc2
-
Filesize
224B
MD5866e37a4d9fb8799d5415d32ac413465
SHA13f41478fdab31acabab8fa1d26126483a141ffb6
SHA2564d2f5afc192178c5b0dc418d2da5826d52a8b6998771b011aede7fdba9118140
SHA512766d2e202dd5e520ac227e28e3c359cca183605c52b4e4c95c69825c929356cea772723a9af491a3662d3c26f7209e89cc3a7af76f75165c104492dc6728accc
-
Filesize
2KB
MD5d467bc485eddf6d38278bc6b1dc16389
SHA1e233882de62eb095b3cae0b2956e8776e6af3d6a
SHA2562f25585c03c3050779c8f5f00597f8653f4fb8a97448ef8ef8cb21e65ba4d15d
SHA5122add66b4f2e8ce463449ca8f2eac19363844b6ab159a41b42163028c57f07a4245ebefe759a6f90e8685b5bd239c969fe99366eff89378cb8b92b8a703dacd61
-
Filesize
2KB
MD53b5b76b70b0a549dce72c5a02756d2a8
SHA107786baebb5c52882e28a8bd281c9a36d63dd116
SHA256bdd67333ab62b0bfeb10ecbbb23936db57b743a3eec580a354591fdf63334859
SHA512bb266dfa725421fb26d26fda0f45a5fa5cd832667b05f27ceaf4e7fc1e032aeea8700493cfdd2941c3c38cd166eee1000d2b9ae3ddef375714e25a2027a943a3
-
Filesize
139B
MD5d0104f79f0b4f03bbcd3b287fa04cf8c
SHA154f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6
-
Filesize
43B
MD5c28b0fe9be6e306cc2ad30fe00e3db10
SHA1af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA2560694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9
-
Filesize
216B
MD5c2ab942102236f987048d0d84d73d960
SHA195462172699187ac02eaec6074024b26e6d71cff
SHA256948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479
-
Filesize
1KB
MD513babc4f212ce635d68da544339c962b
SHA14881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA51240e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182
-
Filesize
53B
MD5b9f2ca8a50d6d71642dd920c76a851e5
SHA18ca43e514f808364d0eb51e7a595e309a77fdfce
SHA256f44555af79dfa01a68ae8325382293fc68cd6c61d1d4eb9b8f7a42c651c51cde
SHA51281b6352bbabd0bffbc50bfcd0cd67dc3c2a7d63bda0bf12421410c0ec8047af549a4928b5c5c3e89ead99aa9240bddb461c618c49287c15d9d4d3a899e8f596a
-
Filesize
133KB
MD5a0bd0d1a66e7c7f1d97aedecdafb933f
SHA1dd109ac34beb8289030e4ec0a026297b793f64a3
SHA25679d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
SHA5122a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50
-
Filesize
5.2MB
MD5aead90ab96e2853f59be27c4ec1e4853
SHA143cdedde26488d3209e17efff9a51e1f944eb35f
SHA25646cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
-
Filesize
34B
MD50e2184f1c7464b6617329fb18f107b4f
SHA16f22f98471e33c9db10d6f6f1728e98852e25b8f
SHA256dbf5f44e1b84a298dbbcad3c31a617d2f6cfa08eb5d16e05a5c28726c574d4eb
SHA5128e745c0215d52e15702551f29efb882a5eba97b5f279ccc29293b1a9b1b8661bf71b548569f9a99fa35c35a15d1b6b288d3c381c1292418c36dc89e2fa0b3a37
-
Filesize
4.1MB
MD5fee348eb64504fd06b527d6694e1762b
SHA12b4f6598394f65a3a469e201005edec58ceff206
SHA2563988950e51bbab918762ca18d6bd5dfb94207942864813b7ad64ae7c46afb4fd
SHA512db766b02cd289a48d3581a9043031285a0a2cb9a6529023c391f30956fb114e99d84ce7f7f5414fdcb7ce0839f6fd26052084ff4f3f90d2fca09d0128a19f37a
-
Filesize
86KB
MD5d213a75b1956398e4c36bcc2f93339bf
SHA16a2739cc0e67f5593c744fbcbc8f00f12eef9954
SHA256ece75d080f94df4b3699389021337b1536cfed229d1325f09b03f0b0d6d85ab4
SHA512d32ddaf4c6f8f8df6c390d683e6c039f3b0d8f35f68f690b28bf88b17caedf0e11abd3aeb2e46238d0cd0a91b2db095cca0782b4e27f04453ea4cb6db38f4dd7
-
Filesize
522KB
MD5e31f5136d91bad0fcbce053aac798a30
SHA1ee785d2546aec4803bcae08cdebfd5d168c42337
SHA256ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
SHA512a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6
-
Filesize
99KB
MD57a2b8cfcd543f6e4ebca43162b67d610
SHA1c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA2567d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8
-
Filesize
113KB
MD575365924730b0b2c1a6ee9028ef07685
SHA1a10687c37deb2ce5422140b541a64ac15534250f
SHA256945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
SHA512c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1
-
Filesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
Filesize
24.1MB
MD5e091e9e5ede4161b45b880ccd6e140b0
SHA11a18b960482c2a242df0e891de9e3a125e439122
SHA256cee28f29f904524b7f645bcec3dfdfe38f8269b001144cd909f5d9232890d33b
SHA512fa8627055bbeb641f634b56059e7b5173e7c64faaa663e050c20d01d708a64877e71cd0b974282c70cb448e877313b1cf0519cf6128c733129b045f2b961a09b
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
5.4MB
MD5a0396f9bb5e0144808cc7c7fda47e682
SHA176bef1c55c6f288ca5988d344c4e92ee8f3a6329
SHA256b5d35eaf2ca4befb5ac6de8680609c9a86fdc257b49d21ce4c8d17eddaa1b51a
SHA512dd49140d4661d813501d67c44d5fedd6bdc7ce731242fb33973b0b7a5b603344682fe1bc393fcf9fe3f5ad10ed9f1de7dbc42c66ec16b84063fe535f288ab7e0
-
Filesize
122KB
MD59fe9b0ecaea0324ad99036a91db03ebb
SHA1144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
297KB
MD57a86ce1a899262dd3c1df656bff3fb2c
SHA133dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
634KB
MD5cb264f7d256b42a54b2129b7a02c1ce3
SHA1d71459e24185f70b0c8647758663b1116a898412
SHA256d6aaee30c9b7edeac6939f78f4a55683c6358d9cc03dac487880d01f18700e83
SHA5124f623f5d21bc216f3dd040e6d0c663a8ea37efe5d0ce5f4aeb1ef5c1f7c873e19d1abc979d3e40d4dc70e2e4f0fc9a1b114b17d9eb852ea9a41d0f84356cd7cb