8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Resubmissions

02-12-2024 07:45

241202-jlgcea1par 8

02-12-2024 07:41

241202-jh4crs1mhr 7

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 2 IoCs

pid	Process
1544	Solara.exe
3108	RobloxPlayerInstaller.exe

Loads dropped DLL 11 IoCs

pid	Process
5096	MsiExec.exe
5096	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe
3632	MsiExec.exe
3100	MsiExec.exe
3100	MsiExec.exe
3100	MsiExec.exe
5096	MsiExec.exe

Unexpected DNS network traffic destination 26 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Blocklisted process makes network request 2 IoCs

flow	pid	Process
79	2000	msiexec.exe
81	2000	msiexec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
115	pastebin.com
116	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-name\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\diff.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\bench.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-owner.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\input.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\lib\retrieve-tag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\dist\diff.min.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-find-dupes.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\dist\agent.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-support\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\yarnpkg	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\blob.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\selector.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\write-file-atomic\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\yallist\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\json-stringify-nice\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-dist-tag.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\emoji-regex\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\node_modules\glob\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\stream.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\dist\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\json-parse-even-better-errors\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\are-we-there-yet\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\optional-set.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\util\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\util\unesc.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\http-cache-semantics\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-help-search.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\docs\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agent-base\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\npx	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-json-stream\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\org.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\node_modules\lru-cache\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\tools\emacs\README	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\content\rm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\lib\move-file.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\brace-expansion\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\jsonparse\samplejson\basic.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\are-we-there-yet\lib\tracker.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\logging.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-exec.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\data\win\large-pdb-shim.cc	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\npm	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\sigstore-utils.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-is-absolute\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\entry-index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\wide-truncate.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\add-abort-signal.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\balanced-match\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\err-code\index.umd.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ip-regex\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man5\package-json.5	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\index.es6.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read-cmd-shim\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\unique-filename\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\ca\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\nopt\lib\nopt.js	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI791D.tmp	msiexec.exe
File created	C:\Windows\Installer\e583e50.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4235.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5267.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7572.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e583e4c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B41.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e583e4c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4255.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5287.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C1C.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2172	ipconfig.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133775991619316357"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{53590406-F695-4522-8542-0F7BCE358527}	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4660	chrome.exe
4660	chrome.exe
1396	Bootstrapper.exe
1396	Bootstrapper.exe
1396	Bootstrapper.exe
2000	msiexec.exe
2000	msiexec.exe
1544	Solara.exe
1544	Solara.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
3108	RobloxPlayerInstaller.exe
3108	RobloxPlayerInstaller.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2936	WMIC.exe
Token: SeSecurityPrivilege	2936	WMIC.exe
Token: SeTakeOwnershipPrivilege	2936	WMIC.exe
Token: SeLoadDriverPrivilege	2936	WMIC.exe
Token: SeSystemProfilePrivilege	2936	WMIC.exe
Token: SeSystemtimePrivilege	2936	WMIC.exe
Token: SeProfSingleProcessPrivilege	2936	WMIC.exe
Token: SeIncBasePriorityPrivilege	2936	WMIC.exe
Token: SeCreatePagefilePrivilege	2936	WMIC.exe
Token: SeBackupPrivilege	2936	WMIC.exe
Token: SeRestorePrivilege	2936	WMIC.exe
Token: SeShutdownPrivilege	2936	WMIC.exe
Token: SeDebugPrivilege	2936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2936	WMIC.exe
Token: SeRemoteShutdownPrivilege	2936	WMIC.exe
Token: SeUndockPrivilege	2936	WMIC.exe
Token: SeManageVolumePrivilege	2936	WMIC.exe
Token: 33	2936	WMIC.exe
Token: 34	2936	WMIC.exe
Token: 35	2936	WMIC.exe
Token: 36	2936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2936	WMIC.exe
Token: SeSecurityPrivilege	2936	WMIC.exe
Token: SeTakeOwnershipPrivilege	2936	WMIC.exe
Token: SeLoadDriverPrivilege	2936	WMIC.exe
Token: SeSystemProfilePrivilege	2936	WMIC.exe
Token: SeSystemtimePrivilege	2936	WMIC.exe
Token: SeProfSingleProcessPrivilege	2936	WMIC.exe
Token: SeIncBasePriorityPrivilege	2936	WMIC.exe
Token: SeCreatePagefilePrivilege	2936	WMIC.exe
Token: SeBackupPrivilege	2936	WMIC.exe
Token: SeRestorePrivilege	2936	WMIC.exe
Token: SeShutdownPrivilege	2936	WMIC.exe
Token: SeDebugPrivilege	2936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2936	WMIC.exe
Token: SeRemoteShutdownPrivilege	2936	WMIC.exe
Token: SeUndockPrivilege	2936	WMIC.exe
Token: SeManageVolumePrivilege	2936	WMIC.exe
Token: 33	2936	WMIC.exe
Token: 34	2936	WMIC.exe
Token: 35	2936	WMIC.exe
Token: 36	2936	WMIC.exe
Token: SeDebugPrivilege	1396	Bootstrapper.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 744	1396	Bootstrapper.exe	83
PID 1396 wrote to memory of 744	1396	Bootstrapper.exe	83
PID 744 wrote to memory of 2172	744	cmd.exe	85
PID 744 wrote to memory of 2172	744	cmd.exe	85
PID 1396 wrote to memory of 4144	1396	Bootstrapper.exe	90
PID 1396 wrote to memory of 4144	1396	Bootstrapper.exe	90
PID 4144 wrote to memory of 2936	4144	cmd.exe	92
PID 4144 wrote to memory of 2936	4144	cmd.exe	92
PID 4660 wrote to memory of 1912	4660	chrome.exe	99
PID 4660 wrote to memory of 1912	4660	chrome.exe	99
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 1316	4660	chrome.exe	100
PID 4660 wrote to memory of 2748	4660	chrome.exe	101
PID 4660 wrote to memory of 2748	4660	chrome.exe	101
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102
PID 4660 wrote to memory of 1456	4660	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2172
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  PID:4424
- C:\ProgramData\Solara\Solara.exe
  "C:\ProgramData\Solara\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff90efecc40,0x7ff90efecc4c,0x7ff90efecc58
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1944,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3704,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4712,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3576,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=240,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3496,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3296,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5744,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5752,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5676,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=2932,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3504,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5724,i,11777961920377900191,11580813211044039858,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:1496

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:528

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2000
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 1BC632AC9F8CBBE39C8B80A2360065EC
  2⤵
  - Loads dropped DLL
  PID:5096
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ABB01FD417EA4D14AD11561AEB885A1A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B55AAAEB6618C0C4AAB94FFAB57701B0 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3100
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3804
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:1424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4964

C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583e4f.rbs

Filesize
1.0MB

MD5
42dc03a9f6b0572ff93256cc2c2082ac

SHA1
d97b9756a3a21d2f0ef0500200b971afe2ff4da4

SHA256
a425ab88dc21af7014a90a9b91fbf84151cc1da3b18740df6da566860aee2ae6

SHA512
350f86d23b65e3d1bef47be15db024ed7d07ccf9e3d98c215448a7c3f06f07a27f260074624965d79c536fd73830d2759826e391a6136395cea46c5862a79702

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Solara\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\ProgramData\Solara\Solara.exe

Filesize
133KB

MD5
c6f770cbb24248537558c1f06f7ff855

SHA1
fdc2aaae292c32a58ea4d9974a31ece26628fdd7

SHA256
d1e4a542fa75f6a6fb636b5de6f7616e2827a79556d3d9a4afc3ecb47f0beb2b

SHA512
cac56c58bd01341ec3ff102fe04fdb66625baad1d3dd7127907cd8453d2c6e2226ad41033e16ba20413a509fc7c826e4fdc0c0d553175eb6f164c2fc0906614a

Download Submit
C:\ProgramData\Solara\Wpf.Ui.dll

Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\81e53592-a738-4db7-825f-79a653a00110.tmp

Filesize
649B

MD5
a6a6af9f3bfd97d11587991b48718a33

SHA1
29c2bd874088bf886d189068163969aa22d72f63

SHA256
2c527514224b6caa3d299d0317986682932d72e5df1914c3021c6383200b58de

SHA512
a28a1ef5767058eaf25b88cc625dfe7ac846f69444906837ac83b970e8e1118f7a64f6aa349ca4e4416f2b0020b531b9ca47c2405a4e64e209bb2b184b722a7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8fe55621-5c9d-4347-873e-5c8552f79b26.tmp

Filesize
9KB

MD5
b32b38f48b7b138575f2e9c18fb192be

SHA1
016c7d726bed0822830c9649cd4baa9076a54d30

SHA256
83d00a996996fe7d9d517920d0d5bcb0fcf028afb14806d14c2b2696bcef7b52

SHA512
bf1a34f135473ea8d1a989107632e345b1f9790d5749902c5925ea7fc90310b6b7d18489218c591159b7852a275c99ed2c54fd93cf26541674ea0702b21b1e2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
63d304473a7af634d3d0e56114ccc3ea

SHA1
7c4ae1ebd6cf1c574c9a0545f3647c2fccf87271

SHA256
a857601c884d54fa3643b325d3d420c02b50c7678f2eede1b15f2521dae44934

SHA512
c827dedfd60d88a227c55d4e4c1d0d2808168c5a5868578228761772ccf6e99560d140f56c2223730f20e725c89b0a275d0950ef51eedadff9d596c9c4f71f12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
08f1424106b3e0efa4a1f6b6f22946c3

SHA1
0a944e83f1637772cc3dbf8d033d94f394b8ea6e

SHA256
77b3676f01210d6d6d26a3cb92db5a09ed260ee22054fa2758784f0425388c1b

SHA512
2cb3ed2f0493fb7d0d3714ac5d164f3fdf15ff54e60e4043fc7b5e83c707f5bf4247d2114b62317d26ca5a4a33b89a60ec7f4b929dbce754e97fe31fa74006b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e6b13c911545b8ec6c5dfe86112e28a4

SHA1
a3bb901d06885e4565ffc14abed67df52bfa0f6a

SHA256
366c569e54cd37c2c2c9d1669056bee99a5b9402df884e4850e26249fa76e045

SHA512
1680253dec35ac47129b66a93fbc15dc8af30747b9e301e6c1ea8c0fdb57f95eec5622889eaad77145a98c49147e7aaccf3594c37710c1886c322e5d57c773d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

Filesize
387B

MD5
5848ab6634c430539e37b99cf3fe4fab

SHA1
140a2a4bd0941345887264e464b278f9dc48a646

SHA256
5103782bb56d2b2a805c94efaf9efe7e8491389949108a5b20bb345bcd9548d0

SHA512
f6b62d68bb34f737d3f8dcfe854a7e6f4f23a62f78e282db29b2f26bd2b5330b0f2705c664888b9b9868d761710cd9eaca3e2ad7353dd811651cc8599f23a29e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old~RFe59835f.TMP

Filesize
672B

MD5
5d4e5accb8484c070f86d2fe38643300

SHA1
e8c15b423505581c4fda34712d1fe72c55a8cf71

SHA256
2a85611b003590b0ac8365532c60921d2dd40e11a127e2ae0cf4920f44dbbda7

SHA512
926b80b4f582360c83a1a2c9bf096446dbec4cf3e3fc223995b7a10725ad029dd0f31325d5ffebe08ec91558d8ff79e76bd5557945e6746d7e987b1428bce920

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
100B

MD5
28dea9a5a4492fcd5011d08eb61c4542

SHA1
9f3fcb422f5b77f49fd093a9cca4882f7e5ad6c0

SHA256
d0ae48f70dea07ddc72cebfab98cf0613552750422affa3d157e7f66b702b5a4

SHA512
78a84ddee64d5cc2155202c7686b126d44dd4c5affcc939f992e0a39f55bbf577c05ace6df3ed4e28e7f05b3dd1c8712802442704465dd2674d58348b0ad1cd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d00c9074a86067ee53656b0e8da9f5d6

SHA1
065c57aa704a7fe76fa9c9e634b5b631b8d4a444

SHA256
9bf9761df19a5a0040e946bf1344679b3d77b59527fed00d2d217cfa4b9ab2da

SHA512
0f97af1ce8101bfde7f2bbf656f6e269592ff6b4629acdd171bf698f48eb99f75ba955e6839d46a0584830ddc1797b5ef090f6cc0245bd388626a81a3ee5c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
4c6df9e43a71a0fae5de223e356888cf

SHA1
beb6e68245176128cfd422542135fe01caca3cca

SHA256
9dee5a0321efedddb5218ffa1f418a8e63df2817a9ce8d8713aca79af2917964

SHA512
13f98d2078bb41b2a33dff44b53dac4f0cde74e69bc5e9c11578d0ee81a93ee758ab8d3b78a67c1b709b7005258a165c38e7be7c893f4daa3eb3e699f511e62f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
cb1b9dc42824a69a8429f922c21f2795

SHA1
df458c5c646f687409d77b678ddacbc90ea71074

SHA256
9bc155fd041242470387217158301d00b08d586750e563e8fd744e2708878be8

SHA512
56c2ea84150539d10b9ae933f33e392cc9272b955e1f77e7eeb7921c1d72a9e84d2c0f1d272b6d4ba62dbbc598748e65fb40a63b85ab2b7f3c2f92473d0b29cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a27e3039576e127443ab94ade4962499

SHA1
bcf14b9e7c3993b536cc3008eeb8c42178c53213

SHA256
f9259786feeb37c718f533afc8efd79ab855c1312c0b33557b2c3a6da0c4434a

SHA512
f2907e3361b7cd02bca3034d3401486b77073de29dc83eb688a9303e5be2dfdbc512063641d1f4dc14466bafc047274404386d4bc8313751d094297fa90a7178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
db4b6416413a21ced2ab20f3ffbadeee

SHA1
dbf5feab8905b3ecad503377f33e8a7d0d0ad532

SHA256
9a83e6d1c6c608e53bb96d59b24e00e57482c493661e2c9e7c15e1cd6845ee30

SHA512
ae50e739d492f1dc3328e5a7250e857941cec4ce27d9b431da94cea6f5de339c7647a94c593deac15850fbde16300f5c305526a39d11344235fbfff3afa7d842

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
39e435ba9f2452769e70f8599e2e0729

SHA1
0e15c02650c67c29854338e7691cb4bf3b8f02e4

SHA256
219e621274522fbad97e5b98bead317e6d58b47a24289554a0f63bc2f393733c

SHA512
532e7ea45bacd68ee754ba600b31f5597ca10e6bc229d2ee7992909aff31e087a1ba570c83f482b7189217ca0b29e6d0b936920e6e04b68192f4597307b03e6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1c07233ca9315609c0c8294cd13d4a75

SHA1
285db0f5deb6b2860d66db188d5786cec8cf9ec4

SHA256
4f2397ae3053135f8aac0f168a7e4df9896253810765d7f70ddd86c59fe9a538

SHA512
7fd0b8a893180a235dae471b8b9b598d6d6a0d8578ada73086c080a21ea8446884f60dea7ff9cec7f43e0edde0e0c9e2a85125436e4ccdd89789619c1cf18166

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0a445eafd430230a854deafef9d666ec

SHA1
c78494910c51abcf145ca0a61d39e729bdbadb36

SHA256
94341df79f1f4a757a72f17f398617d3f2f58a8a02000822d784669fee05a91e

SHA512
f945f1a43c0ad5432dd01f3b40512e8b4d96979e7f44cb398786bef9236536baade113883e47eb0a18dafd0c395992cfeb95560412091106af4e012fcd522b8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b69821d66617c7d881bcf2ecd71ff40c

SHA1
cbac68f9d7ed0673abdcaac0bd3e673478be2c84

SHA256
dd57037c3ab6aa19de3d2b0b2030ba433800a795d70d6033947357c66416c56a

SHA512
e74a73b9504a25f17e6ac898378e0608bacb0a8c84b6882995a5e1421bfd4366d25e4438e968d45f4e17fcbfd0b6b8a3a8d359547d5fde92c7c143901b6443c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f5b7ab467406b8c6314c66207644eef7

SHA1
d4394e8a2ff1a2e6b771b7101e12a822ff8467dd

SHA256
1c425fc4fa6ed68b95c0c4f658c51770521e5b3006f9f0526771436b27d1cae0

SHA512
f12f35a0f88236d0861cad7d83addd5ac8d29515dbc7095f684ccdca18de7c017e3fa6087096e0d6f030fb28c8f2a47f4c8508946556daa5cbd7c4cb980063c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8c33ebbd9305e3a1842eb51c8ae6d562

SHA1
36eeacbe1e0ed0c280ce4dc1fd27c87383099c6a

SHA256
63bf27f51c6d6bc5a59e57eb6f2d0bd506347aaacddcbc4f550c86a02f2b7456

SHA512
05787b815724e68b5b5d4b830cf8eed5e765e75650dd0439cd3c1acd5c4eb7cee2fedf3feb4ed469986c11467bd5b413183126b95bd7a93962a23b3d1fe62959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6d499d141f65154842795989e8ecc223

SHA1
8cadb6c9074e8d1eb657a4cde98842243fba06f3

SHA256
e499f8b80ccad9f9861bc3adcf670cf94e7b51ca3fe9983308e9af161de02766

SHA512
891548af1946dfe66154824326da1c125ea31e16fe57aa84db558ea534b2dea423fd4a9abc5053cc4a963872f97dd1b10d3706bd060665dd59319809ecf26170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5351873581e7ac1c9adc52a4bd7ef3ce

SHA1
7f8c56e7cac93da4dac1d471d46e7bcbb975d9e0

SHA256
0cc1624d7337e6946ce176c341ab0a21ddbf24f6c30c534a6b5a8dfd027fb3d4

SHA512
9968b9803c628cafe1eb84ac08d1700b18fb513499fd0179a3f68c90eef4180b3f01f44569273bd10f99cbf1b0c597c25b41eb3bf8dfcce8693e139aa34074a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
58dc52e392a814fdc260765aa4ea61ec

SHA1
a4f9dfd97bf89c2895adab794bebb8cf5f2bb5b8

SHA256
1aaa217d86c066e241fd2f7b212322974e6bcfa9cdb7ec2a49c90d502d960702

SHA512
880bdba516cfb90f4fe13c1bff9318d99fe009ce7650e865ab136e9e11f62f360aa60f0cf710eb725859c8a38f516be7197b70f2ba73e534a1b9f6b24d4ae27e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3506f59eb4d1e79ad3044ed2e93ca645

SHA1
44e0392d6e57a3e0413241645756deaa073b1231

SHA256
c3a486f980ec1b1f007727a4ec5eba01497684905c434aafd603186f4b93a735

SHA512
977cdf08a063ee7cd66f95a40677f5e13a8e136bd801ff0e4ab63787877451879c1ca3846191d4b5c581f181c59020133d11d0119cc25c309b1dc4925479fe19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b50d306bd8230c4e6d649e8048a64c8

SHA1
ce6c639cfbbc056fe4421da203824891a7c0522a

SHA256
ca3bb56eac17d081a2d28479a4a3f584f62d5eda094138d6f13c5c2ed2dd6b14

SHA512
7422c4bb93f0dbcb702649e3e85becb774e49cad9ea2084fbe4ba31cac48641e22c56245b8ac8c764b65c5a3999977949d912d33c601409ae5b414c386424e9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
69a5ff69cd3273006c185b47e7121702

SHA1
637e762586d2242c37bba5e061c959fa62d53672

SHA256
97624615ece9f2d9914aa08c0f9a7649366b03ea4ac2a99397bdb80e43c26ce8

SHA512
6d576d05d72bd913725fad0e43ea6a1e65db244abc75ba64f92784e486ecd0d840fd91591d6bd134b40848a332d8292161c71b148b85272685e9ab67d34a6199

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt

Filesize
94B

MD5
cc5215204b9000a990b4ca6a06fa3513

SHA1
4736218add7a44f165e576faa4cf705c56ac5d37

SHA256
e978c11ee9cc041b0d4b3325066d6cd6a7ae12cb553c454f96ba10e0209561d2

SHA512
530436a5e8817c17265c6fde68ff8b773a3b008bb60887f600f47ade48365da197e27697c11f80c3b807614b2d374faf6d1d90c0d702519feec1d675a7a0fa1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt~RFe598a16.TMP

Filesize
158B

MD5
20b515b53064d1d52dbd7000f2349d2a

SHA1
ad4643370f93f97099f497eb4e93f1ba9e4cf5ab

SHA256
0dee6c70997734e7a2cd79a74699eeb9983eea5dc7e905f8b3a250f200b66725

SHA512
f59909d49efa589222e258c0e47bc08f39aca34f47ed54bb3294217dc4b15b882f1b7fb603df335d4fbae10d7b69700289784c32e8cca78c88e6952cf4c60973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
26b9e08b52479696792c9a9d4234b117

SHA1
bd439e9fa6de5b21c37b08bf68ad34138b046932

SHA256
6b4eb7e644be6a4f0d4bd513b6bea5bcebbb6a006fab81c6adce139d49d550c3

SHA512
ee69d83ad69f61402baadab31563b8bb4c29bd8c3227cee00ade77fa07ac3810d02429f73a7ee82d1780c0b7d0c1e7d35cf20a667ba0e209022bdadefa0799f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
68ef4ded1d3270ce28013b57b723a95e

SHA1
dd0397381273acfdde9f424b7f885816b645ffca

SHA256
8c9809689f53b7085bbc2cda8044216d174be93cfab32d970bac8748c8af4be7

SHA512
d6aa2b2865f43ef90126491dec67bcaeca7f774cf39e71cd092ab59321b89884769973e9a005cbe0ff36a93f19a49b53bb3780aa2d72ec7b653f0e8b9ce25ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe

Filesize
6.9MB

MD5
1c4187f0b612a9a473010dcc37c37a82

SHA1
34d46733452812d481adeedad5eaea2cf4342540

SHA256
c8d55b0f4f25caf135dabc7f21b9548263022107e9740dfe692b402469cd47bd

SHA512
075678e24a867d5630da324e934837d81a3fa1d848a15feeb2a7be268d38b81ca4210cd44a22e9869173edebecd1947968327ddce16a85b71c03e6307e365def

Download Submit
C:\Windows\Installer\MSI41D6.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSI4255.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI4B41.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/1396-2-0x00007FF9158F0000-0x00007FF9163B1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-5-0x00000250D4FB0000-0x00000250D4FD2000-memory.dmp

Filesize
136KB

Download
memory/1396-4-0x00007FF9158F3000-0x00007FF9158F5000-memory.dmp

Filesize
8KB

Download
memory/1396-2973-0x00007FF9158F0000-0x00007FF9163B1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-30-0x00007FF9158F0000-0x00007FF9163B1000-memory.dmp

Filesize
10.8MB

Download
memory/1396-0-0x00007FF9158F3000-0x00007FF9158F5000-memory.dmp

Filesize
8KB

Download
memory/1396-2526-0x00000250D51D0000-0x00000250D51E2000-memory.dmp

Filesize
72KB

Download
memory/1396-1-0x00000250BA980000-0x00000250BAA4E000-memory.dmp

Filesize
824KB

Download
memory/1396-2504-0x00000250D50A0000-0x00000250D50AA000-memory.dmp

Filesize
40KB

Download
memory/1544-2968-0x0000021934820000-0x0000021934D5C000-memory.dmp

Filesize
5.2MB

Download
memory/1544-2957-0x0000021919480000-0x00000219194A4000-memory.dmp

Filesize
144KB

Download
memory/1544-2974-0x0000021934490000-0x000002193454A000-memory.dmp

Filesize
744KB

Download
memory/1544-2976-0x0000021934550000-0x0000021934602000-memory.dmp

Filesize
712KB

Download