Analysis
-
max time kernel
172s -
max time network
172s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-05-2024 12:40
Behavioral task
behavioral1
Sample
SolaraBETA.exe
Resource
win11-20240426-en
Errors
General
-
Target
SolaraBETA.exe
-
Size
78KB
-
MD5
934de8bca4253c836a2098f335c7a8d7
-
SHA1
7802dd411479e3217c7a48821ca3118d28fc461f
-
SHA256
03bc44c43b05a84d73688bfa58272cc48131c6edf2b86919b4576935d7fe7fb9
-
SHA512
43ed2f43a52a27908cf69b3e364b1a8a48b85396732b1d4436691e8d43fc77c944d9e7654ff990550a6b2e0f4f2c371d67936ae70c68ae22d683a2acaa58fcd7
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+iPIC:5Zv5PDwbjNrmAE+OIC
Malware Config
Extracted
discordrat
-
discord_token
MTE5NTg0ODc1MjI0NjgyNTA1Mg.G7iwnj.U4hRA5hZjWdmprvtP3VL2iI2OPKuIwgzMWzywY
-
server_id
1234555349349040179
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3876 created 632 3876 SolaraBETA.exe 5 -
Disables Task Manager via registry modification
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 19 discord.com 36 discord.com 49 discord.com 3 discord.com 5 discord.com 8 discord.com 12 raw.githubusercontent.com 42 discord.com 1 discord.com 7 discord.com 10 discord.com 40 raw.githubusercontent.com -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1BD0.tmp.png" SolaraBETA.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3876 set thread context of 4172 3876 SolaraBETA.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID SystemSettings.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SystemSettings.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy ApplicationFrameHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy = "4278190080" ApplicationFrameHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = 2c0000000000000001000000ffffffffffffffffffffffffffffffff28000000000000005803000081020000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy = "4294967295" ApplicationFrameHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy = "1" ApplicationFrameHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2551177587-3778486488-1329702901-1000\{6848D044-06E1-463F-BCDE-54F031D492A6} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy = "2814749767500776" ApplicationFrameHost.exe Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData ApplicationFrameHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4988 msedge.exe 4988 msedge.exe 4152 msedge.exe 4152 msedge.exe 3952 msedge.exe 3952 msedge.exe 4616 msedge.exe 4616 msedge.exe 4904 identity_helper.exe 4904 identity_helper.exe 3876 SolaraBETA.exe 3876 SolaraBETA.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 3876 SolaraBETA.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 3876 SolaraBETA.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 3876 SolaraBETA.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 3876 SolaraBETA.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 3876 SolaraBETA.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe 4172 dllhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 3876 SolaraBETA.exe Token: 33 1996 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1996 AUDIODG.EXE Token: SeDebugPrivilege 3876 SolaraBETA.exe Token: SeDebugPrivilege 4172 dllhost.exe Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 1416 SystemSettings.exe Token: SeCreatePagefilePrivilege 1416 SystemSettings.exe Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 480 dwm.exe Token: SeCreatePagefilePrivilege 480 dwm.exe Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3264 Explorer.EXE Token: SeCreatePagefilePrivilege 3264 Explorer.EXE Token: SeShutdownPrivilege 3876 SolaraBETA.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4764 ApplicationFrameHost.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 4152 msedge.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe 1416 SystemSettings.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2012 MiniSearchHost.exe 3264 Explorer.EXE 3264 Explorer.EXE 3264 Explorer.EXE 1416 SystemSettings.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3876 wrote to memory of 4152 3876 SolaraBETA.exe 82 PID 3876 wrote to memory of 4152 3876 SolaraBETA.exe 82 PID 4152 wrote to memory of 2084 4152 msedge.exe 83 PID 4152 wrote to memory of 2084 4152 msedge.exe 83 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4608 4152 msedge.exe 84 PID 4152 wrote to memory of 4988 4152 msedge.exe 85 PID 4152 wrote to memory of 4988 4152 msedge.exe 85 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 PID 4152 wrote to memory of 2368 4152 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:480
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ce205d63-79ab-445c-b312-3a2486113a7f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1272
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1396
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2280
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1836
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1876
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004CC2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1724
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2136
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2312
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2624
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2772
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3124
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\SolaraBETA.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBETA.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/WYfWwE7F3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8bd473cb8,0x7ff8bd473cc8,0x7ff8bd473cd84⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:24⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 /prefetch:84⤵PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:14⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:14⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:14⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4624 /prefetch:84⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4628 /prefetch:84⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:14⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:14⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:14⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1086093436964663302,13526619704878776101,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:14⤵PID:4984
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3496
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3984
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4384
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:5000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4768
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2952
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:912
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1248
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1100
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2012
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4764
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1416
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc1⤵PID:4544
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:5704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD550729c5606891a04906ee10be54b24c7
SHA1b35cefd8f67c70ab81e68ae8d963855caa068702
SHA256297b45041e7856a1ac36c9063bce14ee070c2dab7c6b0fbaae07748ac7e7899d
SHA512eabfce31980fb353c4dc9a7d0d82e2ffb704d46b28185495c08a84feeb32e71edf0d78ddc07406aa76c7f16008b91f3a43f442642e89744532e2ff5a9edcb911
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A
Filesize404B
MD53f90230c1ee774cb2afcf72e43429870
SHA1e01c266f6a19e58ef392d9f760a96436f3d128ad
SHA2565710f7d470181f711078308eda360f3e60efbc62ca030b481b5b6f49a02a9722
SHA51266374a68884e35e8fbce8a76326f71e248bd9b2d668558dce958d1f12c96536c84dbadf2f01229e1fdbc4d45acf221d2b26ea5dc528dc0b7c527f4f2cc0894af
-
Filesize
152B
MD57915c5c12c884cc2fa03af40f3d2e49d
SHA1d48085f85761cde9c287b0b70a918c7ce8008629
SHA256e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da
SHA5124c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217
-
Filesize
152B
MD59faad3e004614b187287bed750e56acc
SHA1eeea3627a208df5a8cf627b0d39561167d272ac5
SHA25664a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9
SHA512a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize840B
MD5a9ed3d48e10943a2872e621a0dcc6585
SHA10dd3dfbfdc2e09fd42e9b46809e40f4dcc4d2e57
SHA2566cd18dc7a7c0407b9b609af1665f193059dd70c89403ff9335852b4d6c18fbf6
SHA5129f4ddc112cd792d22c62461743da7f91777a3f96210cbebbd43f695ec3ddc8c5d39297d6a9f101d95c681bb0cfc050900a71152b846bb924acdaba2314ac0144
-
Filesize
612B
MD52f42579aa980c2c3f5171b0de2ad6ff8
SHA1bb438d65038fff43acf7831acf400b9949b8e55a
SHA256cfb379684ffeaef355da963732d936c1a260194e70cebd45f30aee1a52664772
SHA5128720d3a06ca623737e5f21bd6c46004484535a9c3c99d71a7c87cc86f1a4582a588ed4b7af2349a951f74541526e35cd16868a5a4641e0cbd52f4da47b439da8
-
Filesize
6KB
MD5a4864e2044b121034f5010707aab2bfd
SHA1675c1f787962a613c87e3297b54fb8ca9155f07d
SHA256db4ef74a1a85ee3ebe64a1e5484a655a095fa2bd29d1706c16fa954b182bacc5
SHA512312a8005543cfe19809a46698a811e2f93a2b3d1f8d8f40fc319e839ceb18d02d92d8c5343d38dae1bb66bbdb9ecd7bbc1071ac18ffe0e7fbcaa0573c5aa3446
-
Filesize
5KB
MD503f7c5f030b9d288c8aaf58e736a271f
SHA14e9c78f17416fcba0e601e63cbf3f78164f5ce9d
SHA256206690c51720a0d949bb841703b46980ea3bc7d9ea6c855814800fb41fab6aee
SHA512c59ebdc2556ed5d14d4b11d4195a4a83a2880100772edf8e1c5e65149e08c3675375684e5b483502c15393daf8e6e0844f88cab19061bdc2c86492bed66dc5ca
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD597f2d38da820ae9076d7c5c87772eef7
SHA1c94f5437babef0129f1139cffc8561007b227862
SHA256538e945b975666819b975923f023b83f5c7b33eecb85bb8bda8216cfe68c9d0f
SHA51216d29f82af41fec19e5cf497d6ab760063018972139eff23f7a28c6de94fb475fae89667c08d30d6bca99815c7ecb4d837bc09d8d03aa3c4158751cb63c3dccb
-
Filesize
11KB
MD514184d647c8e4bbce7a9487cec2137c3
SHA10bb099795f69bc5b4fa90591093bc94d708d5ba9
SHA256086381324bf58bf2e51e2c7ad588050e1eff78b701bad21fa0a8ee45d67d3ce8
SHA512b295d63a3cadbb8bbad51763d8ed698a5d3a7769aec5dd29cf7224cb917f9aba3c367a1921c63b2cd06d862e32768b608326cd3593ae7efd2895dd6e03e0acd1
-
Filesize
11KB
MD5084133a1f643480bffd79e2cf9ddbcbf
SHA1db3c9f7716a389d8fa5d6d168083fc0b6c706c84
SHA256e336add6f73af5f0184c29f815a9acfb9beffd1ecc80cedcd2f5180b254d2463
SHA51291daafb207166575236f204225b6fa03ccfc5e18f5a18011c82bf2117f6f56ec0eb244edeabd5ec6ab0447be470d9d1c8453acf56effd570dbefab5ff7b8d9a7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_D106E8E87F3E43A4B7936CA3EA3D8914.dat
Filesize940B
MD5be203dccf8626d0bb69905a03f0d7f24
SHA1073f4cfc69224dabb7ae10f5b9abffab50c7053a
SHA256cb22a95871bd4d605431e05fe93f6ed5c0522097f54841cee907e39749daf35a
SHA512697a88f634244e0ebce991788b4ac676b58049ffa3cab0c96cfccbe80a467f3370eff70f9ab44abdaf9c75e9f9cf0475f3a092c029202ac88ea2b5dbe5e69185