44caliber | 29b6d8b4e922d49e993bdd6cebc5370fb35ad1c8356188139a0c863825be98d6

Analysis

max time kernel
1799s
max time network
1596s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22-06-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BleedBootstrapper.exe
Size

216KB
MD5

c985922fbfd599e853e51f20eb1c52af
SHA1

2c1479539a4937c520d5352b245a9fdb01aa6d43
SHA256

29b6d8b4e922d49e993bdd6cebc5370fb35ad1c8356188139a0c863825be98d6
SHA512

8d1420a2b6c51a2bcd1aac3d1387b8f77539bfa9d3e73a8525e8b84439e76debb8081d07dc339415b811a8e0de7f6ccadca1ac6c248aecec4333be464431cc34
SSDEEP

3072:LahKyd2n31d95GWp1icKAArDZz4N9GhbkrNEk5N7AX8VBt3wRW8IbE6Vx2K:LahO3p0yN90QEM

Score

10^/10

44caliber discovery evasion persistence privilege_escalation spyware stealer themida trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1169713279464120370/GUIw2wEmQMllUHEfRf3MNeS3DBNrZN-RuTQ9QbFfAqIZNVHtIlkj1yiD5QqgrIlv8gQi

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4520 netsh.exe
3636 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid	process
4520	netsh.exe
3636	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Executes dropped EXE 11 IoCs

Processes:

SolaraBootstrapper.execd57e4c171d6e8f5ea8b8f824a6a7316.exeInsidious.exeBloxstrap-v2.6.1.exeRobloxPlayerBeta.exeBloxstrap.exeRobloxPlayerBeta.exeBloxstrap.exeRobloxPlayerBeta.exeBloxstrap.exeRobloxPlayerBeta.exe

pid	process
3892	SolaraBootstrapper.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1516	Insidious.exe
5272	Bloxstrap-v2.6.1.exe
7456	RobloxPlayerBeta.exe
9548	Bloxstrap.exe
9668	RobloxPlayerBeta.exe
10084	Bloxstrap.exe
10232	RobloxPlayerBeta.exe
6284	Bloxstrap.exe
4304	RobloxPlayerBeta.exe

Loads dropped DLL 9 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exe

pid	process
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
7456	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll	themida
behavioral1/memory/2944-2058-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2059-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2060-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2061-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2203-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2346-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2356-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2358-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2532-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2848-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-2986-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-3024-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-3082-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-3102-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-3151-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-3186-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-3212-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida
behavioral1/memory/2944-6712-0x0000000180000000-0x0000000180A5B000-memory.dmp	themida

Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BleedBootstrapper.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	BleedBootstrapper.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
42	raw.githubusercontent.com
213	raw.githubusercontent.com
215	raw.githubusercontent.com
217	raw.githubusercontent.com
1	raw.githubusercontent.com
5	raw.githubusercontent.com
37	raw.githubusercontent.com
34	raw.githubusercontent.com
43	raw.githubusercontent.com
210	raw.githubusercontent.com
71	raw.githubusercontent.com
72	raw.githubusercontent.com
219	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 freegeoip.app
39 freegeoip.app
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

RobloxPlayerBeta.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exe

pid process

7456 RobloxPlayerBeta.exe
9668 RobloxPlayerBeta.exe
10232 RobloxPlayerBeta.exe
4304 RobloxPlayerBeta.exe

flow	ioc
11	freegeoip.app
39	freegeoip.app

pid	process
7456	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exe

pid	process
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
7456	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exemsedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1388 ipconfig.exe
3908 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3528 systeminfo.exe

pid	process
1388	ipconfig.exe
3908	ipconfig.exe

pid	process
3528	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635411525431014"	chrome.exe

Modifies registry class 21 IoCs

Processes:

Bloxstrap-v2.6.1.exeMiniSearchHost.exechrome.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox-player\DefaultIcon	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox-player\URL Protocol	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox\DefaultIcon	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox\shell	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox\ = "URL: Roblox Protocol"	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox-player	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox-player\shell\open\command	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox\shell\open\command	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" %1"	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3107365284-1576850094-161165143-1000\{1968FD9D-2C2C-4553-B572-690DF140239E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox\shell\open	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox\URL Protocol	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox-player\shell	Bloxstrap-v2.6.1.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox-player\shell\open	Bloxstrap-v2.6.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap-v2.6.1.exe

NTFS ADS 5 IoCs

Processes:

chrome.exemsedge.exemsedge.exeBloxstrap-v2.6.1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Solara.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 573135.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bloxstrap-v2.6.1.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:SmartScreen:$DATA	Bloxstrap-v2.6.1.exe
File created	C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe\:Zone.Identifier:$DATA	Bloxstrap-v2.6.1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeSolaraBootstrapper.exeInsidious.execd57e4c171d6e8f5ea8b8f824a6a7316.exemsedgewebview2.exemsedgewebview2.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
844	chrome.exe
844	chrome.exe
3892	SolaraBootstrapper.exe
3892	SolaraBootstrapper.exe
1516	Insidious.exe
1516	Insidious.exe
1516	Insidious.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4476	msedgewebview2.exe
4476	msedgewebview2.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3428	msedgewebview2.exe
3428	msedgewebview2.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
572	msedge.exe
572	msedge.exe
4688	msedge.exe
4688	msedge.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3024	msedge.exe
3024	msedge.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
5116	msedge.exe
5116	msedge.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2944	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4940	identity_helper.exe
4940	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

chrome.exemsedgewebview2.exemsedge.exe

pid	process
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
1000	msedgewebview2.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe
Token: 35	1832	WMIC.exe
Token: 36	1832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedgewebview2.exemsedge.exe

pid	process
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
1000	msedgewebview2.exe
844	chrome.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

chrome.exemsedge.exeBloxstrap-v2.6.1.exeBloxstrap.exeBloxstrap.exeBloxstrap.exe

pid	process
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
5272	Bloxstrap-v2.6.1.exe
9548	Bloxstrap.exe
10084	Bloxstrap.exe
6284	Bloxstrap.exe
9548	Bloxstrap.exe
5272	Bloxstrap-v2.6.1.exe
6284	Bloxstrap.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MiniSearchHost.exeOpenWith.exeOpenWith.exe

pid process

10404 MiniSearchHost.exe
11216 OpenWith.exe
8756 OpenWith.exe
Suspicious use of UnmapMainImage 4 IoCs

Processes:

RobloxPlayerBeta.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exeRobloxPlayerBeta.exe

pid process

7456 RobloxPlayerBeta.exe
9668 RobloxPlayerBeta.exe
10232 RobloxPlayerBeta.exe
4304 RobloxPlayerBeta.exe

pid	process
10404	MiniSearchHost.exe
11216	OpenWith.exe
8756	OpenWith.exe

pid	process
7456	RobloxPlayerBeta.exe
9668	RobloxPlayerBeta.exe
10232	RobloxPlayerBeta.exe
4304	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BleedBootstrapper.execmd.exechrome.exe

description	pid	process	target process
PID 3708 wrote to memory of 4320	3708	BleedBootstrapper.exe	cmd.exe
PID 3708 wrote to memory of 4320	3708	BleedBootstrapper.exe	cmd.exe
PID 4320 wrote to memory of 3536	4320	cmd.exe	nslookup.exe
PID 4320 wrote to memory of 3536	4320	cmd.exe	nslookup.exe
PID 4320 wrote to memory of 2404	4320	cmd.exe	netsh.exe
PID 4320 wrote to memory of 2404	4320	cmd.exe	netsh.exe
PID 4320 wrote to memory of 1388	4320	cmd.exe	ipconfig.exe
PID 4320 wrote to memory of 1388	4320	cmd.exe	ipconfig.exe
PID 4320 wrote to memory of 3908	4320	cmd.exe	ipconfig.exe
PID 4320 wrote to memory of 3908	4320	cmd.exe	ipconfig.exe
PID 4320 wrote to memory of 2532	4320	cmd.exe	find.exe
PID 4320 wrote to memory of 2532	4320	cmd.exe	find.exe
PID 4320 wrote to memory of 2180	4320	cmd.exe	WMIC.exe
PID 4320 wrote to memory of 2180	4320	cmd.exe	WMIC.exe
PID 4320 wrote to memory of 1832	4320	cmd.exe	WMIC.exe
PID 4320 wrote to memory of 1832	4320	cmd.exe	WMIC.exe
PID 4320 wrote to memory of 3528	4320	cmd.exe	systeminfo.exe
PID 4320 wrote to memory of 3528	4320	cmd.exe	systeminfo.exe
PID 4320 wrote to memory of 4520	4320	cmd.exe	netsh.exe
PID 4320 wrote to memory of 4520	4320	cmd.exe	netsh.exe
PID 4320 wrote to memory of 3636	4320	cmd.exe	netsh.exe
PID 4320 wrote to memory of 3636	4320	cmd.exe	netsh.exe
PID 844 wrote to memory of 4780	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 4780	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1996	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 3032	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 3032	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1572	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1572	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1572	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1572	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1572	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1572	844	chrome.exe	chrome.exe
PID 844 wrote to memory of 1572	844	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\BleedBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\BleedBootstrapper.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SYSTEM32\cmd.exe
cmd /c Malware.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:3536

C:\Windows\system32\netsh.exe
netsh wlan show profiles
3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2404

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:1388

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:3908

C:\Windows\system32\find.exe
find /i "IPv4"
3⤵
PID:2532

C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get size
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:3528

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Port 1122 TCP" dir=in action=allow protocol=TCP localport=
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4520

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Port 1122 UDP" dir=in action=allow protocol=UDP localport=
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd1c90ab58,0x7ffd1c90ab68,0x7ffd1c90ab78
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1508 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:2
2⤵
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:1
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:1
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3500 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:1
2⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4320 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4884 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:1
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3292 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
PID:240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 --field-trial-handle=1768,i,4149062042361107950,6875018296816233878,131072 /prefetch:8
2⤵
- NTFS ADS
PID:3740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4420

C:\Users\Admin\Downloads\Solara\Solara\SolaraB\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara\Solara\SolaraB\SolaraBootstrapper.exe"
1⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3892

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=2944.3852.7497956575747312974
4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1000

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x1d0,0x7ffd28ee3cb8,0x7ffd28ee3cc8,0x7ffd28ee3cd8
5⤵
PID:1324

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
5⤵
PID:4136

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2072 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2468 /prefetch:8
5⤵
PID:2240

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
5⤵
PID:5096

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4008 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4812 /prefetch:8
5⤵
PID:5416

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4808 /prefetch:8
5⤵
PID:5892

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=5088 /prefetch:8
5⤵
PID:1996

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=908 /prefetch:2
5⤵
PID:5508

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=1816 /prefetch:8
5⤵
PID:8380

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1932,8841410072814981855,13926987714521288108,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4764 /prefetch:8
5⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd28ee3cb8,0x7ffd28ee3cc8,0x7ffd28ee3cd8
2⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
2⤵
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
2⤵
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
2⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
2⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3232 /prefetch:8
2⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5312 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
2⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
2⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
2⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
2⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
2⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
2⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
2⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
2⤵
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
2⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,18391490818755835556,7992766155089686085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2752 /prefetch:8
2⤵
- NTFS ADS
PID:5992

C:\Users\Admin\Downloads\Bloxstrap-v2.6.1.exe
"C:\Users\Admin\Downloads\Bloxstrap-v2.6.1.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- NTFS ADS
- Suspicious use of SendNotifyMessage
PID:5272

C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe" --app -channel production
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:7456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:784

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:9548

C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe" --app -channel production
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:9668

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:10084

C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe" --app -channel production
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:10232

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:10668

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:10924

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:10968

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8756

C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:6284

C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe
"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-6b63ea89d2e54fd7\RobloxPlayerBeta.exe" --app -channel production
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
471B

MD5
b8066c237d09f8e5a5ea41a82ae596aa

SHA1
3fa50d95bf6419659ca4acfdb3b23a85a3a7c26d

SHA256
72cd04d6ecf3e3b2f157270c9dcb632d6214f56528248e21fc34197f2e40dba4

SHA512
4b858b42a7c99103450e059eb5ad63753bb887d0a446e3535590636d2bfb415e725cd21096775e1262e026013b6de581a497d6531098e9b5f2df13be41a6bab7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
412B

MD5
aa7d1d3965acec85617fc83f5c707e77

SHA1
890ed2730f8ddcf93bcc28d873f4138dc54421f5

SHA256
76490e1a1d346d75e9c3cadbb8806fd0dda367872e14f79ee498db7158454a19

SHA512
e7abaed4eea3ca9f2566f696dc37ccdb1ba7789f17ba21cd0445faf7b9fd37512727955a3d3c1c842023901ce473203e0588f45b4c8fb4c36b7e54213701b829

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\ClientSettings\ClientAppSettings.json
Filesize
79B

MD5
eab6dcc312473d43c2fa8cc41280d79c

SHA1
b4e9ec7e579d06dfcaa5ac616de2751308a153c3

SHA256
0a27d3c9100ab7ab6f03c45daeb0f0cd586f3aeb59daf7986e853f9614e954fe

SHA512
1ce0fdc237110d644bcc8238f184554f25813ccf7142fd312ce96fbb6659081db677b04485bf66d52100136da6bb9688e48b1287455725c7b4950153aa2a4595

Download Submit
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-6b63ea89d2e54fd7\content\sounds\ouch.ogg
Filesize
6KB

MD5
9404c52d6f311da02d65d4320bfebb59

SHA1
0b5b5c2e7c631894953d5828fec06bdf6adba55f

SHA256
c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317

SHA512
22aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\801c0279-c787-4252-a6ae-3598c33ee982.tmp
Filesize
7KB

MD5
744413efff1f0e52a768d33dfe42397e

SHA1
d41968f974fc0629f56f3058dfa2079213593ca7

SHA256
2a960c0f3adf84e3175ebe0f387336b4a0b57749e5387317fa2a5f71ab343cee

SHA512
77630d4cb3e2716d451493ba4ae4217ae5e2ecc04f8ac1f1fd967e81f691f1d4baf958955b43f8c9ff94b3f54c535face74dd7ed466577811bb748031c38b629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
0fe487d731fd7ca372fbb803dc3d16f6

SHA1
453773143bc2d03556af82b5441f3d9c0604c939

SHA256
a81429de13ab8f7ea46b88d2a6db939584f919ae8c54f78d752b0438b4309a96

SHA512
1d3f8eb12d0995935978635049cb49c2ac371c594ee95c658cee14f538c3c461d8a98440d9d3954ad34ba9e59d756c4ddb5e8c91404fcf884d3dec59adc44f1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
0baecfa04ea2c81fdf7d49a001f3f4ca

SHA1
602d7cf6f14c2f58ffdd691b7d869c9c83619a40

SHA256
132f77f5228cb0d8fde82a06abf347831534d7c394dcab3e0f40415e28c8cf15

SHA512
36570f528f13a0a283d62a3fe2f279a6bbac6e64bf7a193d37c1b12d91f650699b11671c77b0215c749d4dbeacea75b3da1c979dfff89258d06ce09a4a716c28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
f49dd571f1d631bd1f4814252c52932b

SHA1
2a2d72bcc09f706b4f9696395f925d862fdacb8c

SHA256
ec8d1875a77a2cd14e523172296077af2bf0af636e0552acb8eaa946457a042f

SHA512
56e38d9e5c16bbae4c5a1207d5d2d384a707be4cb34b78173008897b4e170d6c95e1fe2a9cd70f24803ea21510428916b6f7a39d927ee90ca34b55649e050545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
5a4f678feed35cd0ce9967b0a3e96cad

SHA1
304aac05847bdb4386a4dabeacd6e6ac72d6e925

SHA256
da9614388eb21c31b4b9fa7cd8263b9d1b36b6eb430d8e51382d2b1b6c196e2d

SHA512
8e84fc7dbc9b369ddad548358b84be4f3f145b665cd79fccb6fc19a38534f25fd81b385e23dfbb1ca64bebce54f6976660b414399d02f255d29b15147355615a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1018B

MD5
916438a5fe89b08883ca9ceaed0579d2

SHA1
7e6bca4b99d677093163a3442be907027bc19573

SHA256
6ee028fca8c56e0b8b988830982c51cb080f5e8a6604cde0007a2b8d1ecdef2c

SHA512
bd6b6077000918dae80393ce41f370f643ec9db2c377c51bafbfdd1d918b8a4cdf85225a3b61f9aa8d0f1c9a6e97a0852b2a92b1752ece50da3515e1c950c0c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
119c0ac19495b0d1defb1e1e1743b54c

SHA1
5233fbd09904e15d1895c00cb98a6f4e0cba3e39

SHA256
108658f9121e2455a99df2eec2ac69df5049f25db043ba8f5f6b2ae3e640a19f

SHA512
b106869fc0d63c007b02044d4f2f045b93564bc8216f9885fd8f8e1c8794e88d317f044385e661ad5e6d6c1b1a2ef2308595b38f980d8b3c02a678931f93f270

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
86258f72060166345b15c971fbbb2c09

SHA1
31d0fe11a9d0eb56c182616b83537c4da933e609

SHA256
7701cc57dc0f42e7afb92806647ac2337711f0968115be5acc8433104dab1d79

SHA512
66d7c4b0390e5d8078e584088ad132c63cd117b7507003e0450f52d3d0d5e574ec00a5abf7dc67f5a1f807999c1cd41144360f98c970c3a0b38d88f4b1ab4553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a1a5855aa498ae5f782be9968c198cde

SHA1
96d09b85c59852a20751c63dcb32ae20541d2906

SHA256
367328e540deee63ac0df58a8eec9ec8d9114445ee6555acebe69faea259c902

SHA512
efb4826b792c2286bdcdf80aaf79beb9845502ef6ee3a197a1b1e770c4d84d29051262f98dc755b215200292126fd720596f27bd119a8554c0a02e8145be844a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
78abbf7c9417288aa84353f2b58873cd

SHA1
0af0ff0276cc5f0997874b153559b017d97195cd

SHA256
4f154d2bb8d984c73c1176321678690c34003b52c4ccbff6b00f91d10b5288a5

SHA512
c38bc29bd445acebc31896a04782a35a4e23b098fa1e1a4587e0ccd9a19444f7af612538d9507c9584260d60a875b5311d1526488200592f09110e3170f1b81f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
aec3536a95dea907d64462019005a278

SHA1
5f35609f6b4e3a021ff2d825f405b7b91a9241bb

SHA256
dd2d32f2d1a3feb9489a85cc16df7ba966a69462949271e8686aec689e4353da

SHA512
a4668326cdbec6d8ac9ae40a15a3040b76a7ef93bb1d0407991887bd79c0bcbbc9f7ded48ffb1a9c0b2f9285a4c94b8ae47ad3385ab084494415ba72e904e477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d7053596e8c0855bf3e057c8fb5d7ac9

SHA1
6ca2ece07ffe1d081d05d21a322b19ce7b806c80

SHA256
d3465256a127a8ceda7337a1663145738e94e5107d4767f3ea38594646289454

SHA512
1edf1c2f5d5278f0e2923af6a81dd3a52dd6a300de2b5897421fd30e612781e52f4d02ec44c6239b96fa8034d3e2197d2b34613aaa8446a7a18beec0df53b067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
67262caa8910c37df9c14a2ef6fbdade

SHA1
b7013baeeb08fc138b1421b0caf4a90c663d08db

SHA256
5f5feb0386f61bd246869bddb8666587a45fc3f40ac3569444e653eeaac07201

SHA512
9f438c7288b63fed1a83323894785016827fe47a8aa8d43a3ea121567476bbffba96fcdd2d33eade1064a60d66f80b8987a825315881a7a93a3e2604a2526c7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
cad6a65b6a779f7824298735977f311a

SHA1
92b186433e07e26048ba31ffa13622ff50136b3b

SHA256
bfb1485a55452b61102292dc0bf3296ddb56e5fb3dccb82a7fd488017f283bbb

SHA512
74bec76920600e6c44e2940ba935bbbbff01f6c2cf820afce7f2ef3f65798f91454d8a180f3b51640b2af6e1a85ed8b824fb6c6ae9a26cc659ea2bafecbf3c47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
Filesize
100KB

MD5
7a2729ca7dfcdffc7fb79ee9ca1f0d4d

SHA1
4d5638e38f6e4ec83c5bde542c7b61b921bad08b

SHA256
8127aa75b9b1937adc7fef1068feec46fb1446b1532277f71c7d8f64ff58485a

SHA512
320af96c5b1e26c521d37d37a0ffc811a16a47975d2968151009f5ac938574a40a194f8adfe727c2ae794f54ce516b75f0fab23a2546489e059566cad0f4a10e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
271KB

MD5
a5aa9cf250c924892952a69887e82224

SHA1
687cd64ef3b5abc872281e7d31de88b758558395

SHA256
eb4978ea618eae1b98728ff70b98776ab6641a807d21209369437c926e564b22

SHA512
1788d855753bc73b52eae013bc81d44d86aca5ba3c9a204c63a8a21bf8e0935def51dbbbe7b5027993d141af3a8cb34feab4cc10897ec5d571986159f242729a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
271KB

MD5
f12417a8b1977725d507e6043011cbf7

SHA1
b62f9415e919773b1003340526b521f174f65607

SHA256
48ef2df6a847c4e85abe06b5572fa56c699817dbbb91a32f33a180d51556a3db

SHA512
51f72caec9724ecd1ea20cd7298d8e728c74741fb124a62283aeb716ba063bf5d52e93ce66475a3155e04cc29c2d930a7070e49864c91ac2d9d275042ab75ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
9e994bb14cf99a811da3b2b8a990b149

SHA1
c978e3ea60f07994a34dacef0c8ef764d3939707

SHA256
3e4a4e11a4f182d6b8bdcded809491c0bbc5fedcec58680fbb10eecd285b18cc

SHA512
66f10243695c912d436731fecb1af9ecd228d15912e42bb6ce55004bcf062b77b6e046bdf27dec13c0650efaba2e8e671cb931e67ac6d5eccce1c8d5e2d0c3bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587da7.TMP
Filesize
83KB

MD5
820beb29aa04392872d08cc003f2315b

SHA1
5c5f8415c8a8be212e27658fe8cb3654cd426d91

SHA256
c70006b4089f2749b79fb80b33fa1434abba77e9fe17b650948f2cb758608b74

SHA512
f93e94680f452a8ce05ec41a59ba157f67be5142ef11e3a0c5ed9e6f6e005afd667c0af7535e1e72c3d213bc89a321b9a5c8b0a621eeacad85cb646fd0904805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
83b5555bb2574b707aa8c8dd189c67eb

SHA1
517c785b7b0bf863f903157fc94f8592afdc9c23

SHA256
8ff55e51daa9cbcbb5d1c913b7d7924e4bcb97dca8000567346509aa0024d846

SHA512
d3ac6adcbe6d731c05b6f51900b21488b37a33215421ef94586a7a234bb5a668bed0768cb3452874b1a00deef8972eb6f113308c5c11b200b587101e1622ded7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
63KB

MD5
5d0e354e98734f75eee79829eb7b9039

SHA1
86ffc126d8b7473568a4bb04d49021959a892b3a

SHA256
1cf8ae1c13406a2b4fc81dae6e30f6ea6a8a72566222d2ffe9e85b7e3676b97e

SHA512
4475f576a2cdaac1ebdec9e0a94f3098e2bc84b9a2a1da004c67e73597dd61acfbb88c94d0d39a655732c77565b7cc06880c78a97307cb3aac5abf16dd14ec79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
69KB

MD5
76c36bd1ed44a95060d82ad323bf12e0

SHA1
3d85f59ab9796a32a3f313960b1668af2d9530de

SHA256
5d0e5d5fdb4d16cf9341f981b6e4a030f35d4766ad945c27381f8d3afb624542

SHA512
9f0555fb531734b786364701e17cb7f57ce94a688d4616fb85bf32cad45a253a9c479a301e05a4f8630cfea141dd52726a31b8e90198c19c16f33fb150a04a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
42KB

MD5
f99f2d6a05b0c0ead4b862985c5c1816

SHA1
b8ba39585bcc49c925f4d7e9f2eb1e0be2bc870a

SHA256
adb2077ab140042786d0e8d599dc7480fde2d2452f8c5e28ffdecd1a044faeb1

SHA512
b6360cfa3ad0f9982348eed1e7a5d3e941e7de17e899f3c70c33cb1330e44a7ab8e1111aa7dd3f06f69f33e518157f65e17c6b1cec363082cdc8855770de3e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
19KB

MD5
635efe262aec3acfb8be08b7baf97a3d

SHA1
232b8fe0965aea5c65605b78c3ba286cefb2f43f

SHA256
8a4492d1d9ca694d384d89fa61cf1df2b04583c64762783313029ae405cbfa06

SHA512
d4b21b43b67697f1c391147691d8229d429082c389411167386f5c94e3a798f26c2457adf6d06caec446106e0f0aa16d895bfc4e8a1ff9e9c21a51173a923e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
64KB

MD5
2923c306256864061a11e426841fc44a

SHA1
d9bb657845d502acd69a15a66f9e667ce9b68351

SHA256
5bc3f12e012e1a39ac69afba923768b758089461ccea0b8391f682d91c0ed2fa

SHA512
f2614f699ac296ee1f81e32955c97d2c13177714dbd424e7f5f7de0d8869dd799d13c64929386ac9c942325456d26c4876a09341d17d7c9af4f80695d259cfea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
88KB

MD5
77e89b1c954303a8aa65ae10e18c1b51

SHA1
e2b15a0d930dcc11f0b38c95b1e68d1ca8334d73

SHA256
069a7cc0309c5d6fc99259d5d5a8e41926996bbae11dc8631a7303a0c2d8c953

SHA512
5780d3532af970f3942eecf731a43f04b0d2bdb9c0f1a262dbd1c3980bcc82fe6d2126236ad33c48ea5434d376de2214d84a9a2ccec46a0671886fe0aa5e5597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
1.2MB

MD5
0ce62e9d53ff7bbb7f9f3ec62519209b

SHA1
d50a698c63fb1957a07d805bd6e826b262773bf0

SHA256
d7d211c8ccfc31dd47ef275249fe7e4bd5fcda67a0c8d35781a8b2cd3d798521

SHA512
bcf0b9f827b6f1d9124cc16bd231d7bba6aa40929549dca3d32247134f8c27fcb5d184ca21eecd9a2a52c0a68333088d706fa37f215eb412adad0deac20ece0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027
Filesize
36KB

MD5
0e045ce9afca2d76d92e1d18344834be

SHA1
f1ebee178f8b20945fde60e392c53c7deeb5d3f9

SHA256
c5c5edb2479ae74b76265ce50f3288286418225c04a6f35148d3d2238a4fad8c

SHA512
d82c38a003956344659b0b095d6639e081e5a87a7ac822efd2366a39109862bd90661bd448e097deb23a26efa042703fa378f5d7c6701fda9651f2525b942821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028
Filesize
20KB

MD5
90c7c3cd9f1bda2460a4ce30711d11b7

SHA1
5d62c16f1237f8429a215873602579743cb25aa3

SHA256
f25d0e3f8652167d6a56adb7c8e0441e364dcbc2bb847ad176dc3709d3272450

SHA512
55ee7a7956ddcf57e0e47d83a317ae663a26c5c32d549d2bd3ec4a54f30720ad353ab67b522310f86e1822c628ec5ed654a199d329752d5b8a4eb0c07f78399a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029
Filesize
48KB

MD5
47b6e3b9a667b9dbc766575634849645

SHA1
54c7e7189111bf33c933817d0a97cefe61fe9a6d

SHA256
302ed4f6c8ac4312d71205603c4c28dd2976fafe4c05533c0a08ab3bdb531aa3

SHA512
a12b74ff45f6f9e6abf459863c299e1fafe61dcf2bea8a7331ed9547de14ed29e2deba69b104c6960db93b458f83ba6a4ba454c5514105e7ffb96da96e26e612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030
Filesize
22KB

MD5
1ac27973084a93966f6a90d5b518e258

SHA1
787986ea7a061e18e3d858c919a7692c6d100ed3

SHA256
f8a4c49273653af8dff6bc5e910bdc5a4ca5496c60f0221cfbf3da26df2388f8

SHA512
3bbd2a13f7583890c4730aa4fbe49bd1d280950e28917389177b6eddfdfaee6b1969efa3e4741c6ab21e9f83154540ed80652f3c1c9145fd2fa6a0687b6aa461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
ea48197a1e28ba6c63d4bbe75af329dd

SHA1
cabff5049561b7456b2593eeeadecb6585f744c2

SHA256
a59eb1531445f431a06a5bf71eb4795c96b2caddcbf5e90b1bb8b46cc27a6669

SHA512
bb2f20f1ea4968f16b12616b1ffb0f7821af8f27e7a9fcd58b0ee8b133481fdd8d792b492e815496b22169cb3b02c7de981d9620e4abce60df497f6a1699aa3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
c9f3cb3c19727bb69f27daf8b6d8da71

SHA1
7c780f67fe4e9cad382bc1992fd723129bb066ae

SHA256
80106293879cc213428cc99f0c3832928111cc28d4ed20781ef796e34ba86bf7

SHA512
43524ef9a903e0b0b124136ee9987809d644cf9854dcb9d004da81280528fab1793cd8d3afe998e4c480cd4b32164e990e3f640cc598b952d75ec29faf07d60e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
3f17a9bf713891a1fb5aa332b16cf6f1

SHA1
3024f2ee89d5cd243528ea6116188b69818a18c6

SHA256
707aef69add89edc9e70cb0c1e2f698d5f2a23bd0e170c9e099e9f596275fd97

SHA512
19de3e9c4b3ae49a7579f1a6f95170b5b53c3758e55f35c1c2f4361c11cc999e3dfcab5b9aaf9fc13c52c062a36742022dadf72c5a52393a846d63df37f9dd38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
10f6d759fa444a7ee948cfe4841592ff

SHA1
196c1d01806a6a273a5604fea8e19d8491e6a9b8

SHA256
5d901f8efd26156b7644d280766cdb279ec761fbeefffd46f126375d936b8cbb

SHA512
245dd74b7d5b0a68955fa5062962d98644cea001c740a2f5e90ff732ef4cd4227e89c98eab7cc464becc95d7a0a8270d7bdcba66c91e032159aa44f10149864a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2aea79b2741c960ddcd8dd75f83693c1

SHA1
2086a1ac533666943ffdff65f5d994e94671adc7

SHA256
8daadc59a37050d4f7c70a2d544cc6b5ad7508445b6419bb90a1c27bfaae4192

SHA512
b96d7a63382530c1f0d4cbfda7f41426a69211d7780ae5071c2a4d6f0888d87893ba46a12d49fcbdb4fa09aa6e5cc7353fe0cc51e61f72e53734f0d4a71037ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
44fbd54c42e8284bf4b50fcf7f811398

SHA1
a965a094ec443b9e11010c28c639a7571d9d11b6

SHA256
c1dcf0cb614e27c3b95c43d990d0cec7718e27d3f8fd871f74336b7b116b38e5

SHA512
0f36277b95fd5d025a240d20c414cdb41a9ba0ebbc76917c3e2e9faa934265d5a8641832c6677404f12037607902f0c50cd3875c25a5fef465c3c188855fcdc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
46a1604bcc6c35a5ce9ba2ef3d83e4a9

SHA1
457fe995b8b5b1ca2ba234941c49865aced7bf2c

SHA256
8aaf76ff640077ce54ee542a089401690878d36f2899242137acd51f03a6b90a

SHA512
6c779bf073684b12f11e916b759cb81a81c2ae0278b5207227f572409c1500b093159e7e9861d50bd4a65fd0a2040fe538503b21d1208bd479b5b6830e23b03f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
225935cde17bf619f53ff04e1a2e80bd

SHA1
921a9176dd2e1b928e8c080de5e23cf80749f9c2

SHA256
5e0c033b0ac9a4fe0a0fcc2df2686546e70ccea8d0dc5cac162a1a76f19035bf

SHA512
c7193e9fe9122f6739094306b07ad363c378242b83a9ffa13dab5c64e26dd5f2000e36f023df36f8f1a0a36fe918bba47b37a5425da912ea41c45a3ece715a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e20c2ae15ab7f86a5bdf2af4f0d149e0

SHA1
6217a9e49031a76c11fefe44dabf5e9a72560849

SHA256
d137eb4670ce7551639099b3576c3fc1c276886ebd917897bd308e88668cc12f

SHA512
e3157ed87095d711fd4446b1cd408dfadbb79ac16fa52e64f0e3cfc8c216912d22433ff279dbb55da0679bd16039759bed40c1a15b1c292e9139b3d5204dcb89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
8bd6f513758131de54c5759ff2bdd522

SHA1
ffd5e2faee63155e9cd536087dd610a46c57c51f

SHA256
db5fc68edddde37d439d1ef401112a8cebbacdeb445029f0627830615ae525e6

SHA512
6b6b81388fab9b83b162976c2354e18ca09585e8460b74f25ed26748721d855c2cc2137f7528e2ab1342f467b8d6124ca80e7cfffca81af65a9bf10feaf4f18a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
7e60bf8d63693a2eabd787d5af01201f

SHA1
f126b8566026e3d6809e727def196e21c1abd5fe

SHA256
16655b3cdbcb01d7c465bf1818893f6bac8cc467b2d8ae9f705c2b6387e4a442

SHA512
4ea1ae810ae2db1aa4a8456190903b0766add1a975d077350c2eaaf7ce72f70730d649a8f2fe895f6ffee40f049fdc68ffa19d87f97b3d1e2ed03126259b8303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
0cff27a387d6c65b87a09e0fdb053d95

SHA1
7cdf2c0ded69538be518d8c92dec2ef5fca2321a

SHA256
f09a742ca36fa266333d05334898b72f8a4cdd707ff64e58c0ca7fe11f15469e

SHA512
118ad557015be1ba2a132aaf0982b96cf81d7e6fd204a0adce4167064c74339676baf868252fe14eedbca7628a01f15567eaa08d9feb27438d5ef08510ede85a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
4c0a2e06cbddc9772896e714a82eea8f

SHA1
318f1f5aef0dcdfce32b9551e28d855fdbc34eab

SHA256
af3d99f36088b26f41bbfbb3e7d4d97d06c12e980a08d3f1b84b281a90e6cfba

SHA512
84f4b2091fdfd8edb97406ab387b8073fc78df1cb6cdb638396be8c410f5fe90c401f6e1bcdd64b7b8bd6dd8332c8fcf7c0f8209fb4a88ca5ca9e9f2c13c68a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a00f.TMP
Filesize
1KB

MD5
9e198991fddc61cac6f2bce8293d6a30

SHA1
325057c1a785f837f9a62530259aad007bd0a31e

SHA256
a6029d87725ad885a1869c7a30a5dd5362ea4092bd2e9274d9602c9598987562

SHA512
590086b461ec4020cb711a2d8df903b756d79d6875a8972ea0d00b055a36bf3c6ac2ec99d87e40a50125bb8ce80d4c0cbfeaaefd438bc1c1908f4fc4a27c2844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dbbe7e03-215f-41a9-ac9f-19731ad993b7.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d705dc1c5ba131ae998c93b36803e1b5

SHA1
4bcaa6074c919b0d0f6503b3eefdf20c1721e252

SHA256
87018f64766dee0187f985e755eaac75eba20def8c9abcb351f0985d5ffd2127

SHA512
a06efbb59d5e2e6c38d1376cc4f50a3e8fbc963d0df203b236b66a65d5057e4945db4c045b3a325fc1837d137b132effea8ec9b9432fca3ae2990760ab149bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
f6159ab5554ca46ba9a7bf04f40dacd9

SHA1
5a4705964b8e4458dffe4f20ad9b805514e2f25b

SHA256
a5d369b4e2a98cc1bc4fd155aceffa269a868af028f0a40e6d39c3d344d9ecbe

SHA512
30da464e133647359a5cd40bc6ee75aa12cc965a3628863287728905ce658c38e307846b69cb7d3a82532f5cda294c5bfaad9eba84355e04bb7e5ff0a422c355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
8aaa81a8358d439876436d2944f6876d

SHA1
450c217f538ceb187772ca827b4b72168b69b392

SHA256
90c9fd725db36c202cfc6071fd74afc1a2c71d1fcedad84fe3289d0ec2c07168

SHA512
423af2d309ded0fed6ccf89fc32146951fc305b3a7d10b14958184e33eca0a05671f046e8132a9a913813f906174ac1923143e675d45bff843cb38e827e580b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e1d03384bd6d195b2ebe6908f878d7d9

SHA1
77c4869756fc3665bc4f9522d7572dbc993e58d4

SHA256
37f7e90d81e8414c29c029d6c0baab5fc332630c120080e4e3550f4db749e7e7

SHA512
de0b8e6e83b763bda58ab151721d0a86d57aedb67f7380e45a87f16e557dc64ded4da47e52cc0bb60a71629e7b69fedfff2e23c6d7c5c931d60897a267fed98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000_1796217047\manifest.fingerprint
Filesize
66B

MD5
7ce55ac0d7683657fd051e573ad06e30

SHA1
3bc51fbc6155c4e9d1439587e1c739995054cc52

SHA256
138e2b36e4c8bec8b00180558843355037d7de99c389f46e6183c4fc5a34c790

SHA512
f269c5c2ee53ed836bfd1b928b40e1ddb2aaea00e5585c85fecfcb1add71130d4ecfe91d2f2527934ac472c8b432d3475ca02b8f808e7e6014cd49155529d9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000_1796217047\manifest.json
Filesize
43B

MD5
55cf847309615667a4165f3796268958

SHA1
097d7d123cb0658c6de187e42c653ad7d5bbf527

SHA256
54f5c87c918f69861d93ed21544aac7d38645d10a890fc5b903730eb16d9a877

SHA512
53c71b860711561015c09c5000804f3713651ba2db57ccf434aebee07c56e5a162bdf317ce8de55926e34899812b42c994c3ce50870487bfa1803033db9452b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9K21JM10B.log
Filesize
2KB

MD5
cb8d0342f2e762b7d71a59d001c3dc46

SHA1
d8ae9ef446fea3a3435bee46a8d3db8a5c879ff0

SHA256
2a8137cc75b06ce9324f9621d59e76a8f09cfee0f0f2cf69568e8c1339756bfd

SHA512
12e6009589630f9ff9807fc9eee50b3156063e266d5ed8e31c987ed39514b1bb44a037825e43822314e732eff3b4f21b39b561a53b767cd6949da8d1aac1f0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Malware.bat
Filesize
2KB

MD5
e201d58f2e7e64828ab5f6ada6c16f55

SHA1
3b8cd942176a020e7bee7ecb9dfe2714111c9d9a

SHA256
8b515e5fef4bf198eb37b562ec30923f3a4724e8c4e93119adcc81e2ff6a4fb1

SHA512
38dfa4892b83a49e37bef44f00c2390efd5b2ad7fbb8f5087b938da762208aa9c8de80c9f9a7fe58f41b32b6aaed2176eceb77ccca9b3960cc573a04cf2b9515

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe
Filesize
303KB

MD5
cf6fbbd85d69ed42107a937576028fc9

SHA1
d8f2ca741a8f0beb8e89a68407241c5332759303

SHA256
644455284cd1e2188564dcea09cc0d09448423c9bfdeb9d05a834600d593ec1a

SHA512
562f8004f6d406ed596ff2ad7487f616f1abb98d415d70d87c18f11f364b35a40b959800085966b1680737e6bc7e3793d3b8c60046ea680dc87a673badeab94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe
Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll
Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.WinForms.dll
Filesize
37KB

MD5
4cf94ffa50fd9bdc0bb93cceaede0629

SHA1
3e30eca720f4c2a708ec53fd7f1ba9e778b4f95f

SHA256
50b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6

SHA512
dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll
Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc
Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc
Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc
Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE
Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\index.html
Filesize
20KB

MD5
08d9ac1e35385587b0c3c8a73ea97234

SHA1
d1db15b5e97152be999339d90630f68ed06a6b78

SHA256
016cadaa9a8494b15efea920a5ea9c02b441e90dbc7c444e73db3b307f93a741

SHA512
8061a5a92f828642ea2fcb319571efa406ed67a75b4d4da1aeb3da96391a72fcde670e3e52efef62d37ddc17f7eca5afa0d35aa02bfd1bcadd8e86240cb802a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\basic-languages\lua\lua.js
Filesize
5KB

MD5
8706d861294e09a1f2f7e63d19e5fcb7

SHA1
fa5f4bdc6c2f1728f65c41fb5c539211a24b6f23

SHA256
fc2d6fb52a524a56cd8ac53bfe4bad733f246e76dc73cbec4c61be32d282ac42

SHA512
1f9297eb4392db612630f824069afdc9d49259aba6361fb0b87372123ada067bc27d10d0623dc1eb7494da55c82840c5521f6fef74c1ada3b0fd801755234f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\editor\editor.main.css
Filesize
171KB

MD5
233217455a3ef3604bf4942024b94f98

SHA1
95cd3ce46f4ca65708ec25d59dddbfa3fc44e143

SHA256
2ec118616a1370e7c37342da85834ca1819400c28f83abfcbbb1ef50b51f7701

SHA512
6f4cb7b88673666b7dc1beab3ec2aec4d7d353e6da9f6f14ed2fee8848c7da34ee5060d9eb34ecbb5db71b5b98e3f8582c09ef3efe4f2d9d3135dea87d497455

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\editor\editor.main.js
Filesize
2.0MB

MD5
9399a8eaa741d04b0ae6566a5ebb8106

SHA1
5646a9d35b773d784ad914417ed861c5cba45e31

SHA256
93d28520c07fbca09e20886087f28797bb7bd0e6cf77400153aab5ae67e3ce18

SHA512
d37ef5a848e371f7db9616a4bf8b5347449abb3e244a5527396756791583cad455802450ceeb88dce39642c47aceaf2be6b95bede23b9ed68b5d4b7b9022b9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\editor\editor.main.nls.js
Filesize
31KB

MD5
74dd2381ddbb5af80ce28aefed3068fc

SHA1
0996dc91842ab20387e08a46f3807a3f77958902

SHA256
fdd9d64ce5284373d1541528d15e2aa8aa3a4adc11b51b3d71d3a3953f8bcc48

SHA512
8841e0823905cf3168f388a7aeaf5edd32d44902035ba2078202193354caf8cd74cb4cab920e455404575739f35e19ea5f3d88eab012c4ebefc0ccb1ed19a46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\vs\loader.js
Filesize
27KB

MD5
8a3086f6c6298f986bda09080dd003b1

SHA1
8c7d41c586bfa015fb5cc50a2fdc547711b57c3c

SHA256
0512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9

SHA512
9e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Newtonsoft.Json.dll
Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\VCRUNTIME140.dll
Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll
Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll
Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt
Filesize
33B

MD5
7207978deac3d2df817c0efb6de01f45

SHA1
1b547cb35c2e709dcf4132452cdb5b6ccd66044f

SHA256
14056051c638d943e3f6cd8ae99b7b8b8b4419f6e6193861081e519eeb4dc808

SHA512
d38226a5eb755aafe7e8e3d707b00841aea985bd8dedf20556800f1bb7ac7c807fa195bdd1e21014087f89b319ab278bec922951b7c682e9edd3fbee147834ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll
Filesize
3.9MB

MD5
a4e469b250ddd6b7bf49530074eb58d6

SHA1
b453b13beef7d25bc0675fe68177e5bd2a3b3a22

SHA256
d0123ecdd83962566e620da8f4dbb3a254ed614370d67a07f6c26c3ebbd12c06

SHA512
af21f10ed6ce8b1e98be439f05786dee2dbbe4d5930853ec383f607a9c03b94609d35234bc793422768c1eda342376ca8bb87d6f3a02f30af9fcf37a0cff1bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Filesize
90KB

MD5
d84e7f79f4f0d7074802d2d6e6f3579e

SHA1
494937256229ef022ff05855c3d410ac3e7df721

SHA256
dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227

SHA512
ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad\settings.dat
Filesize
152B

MD5
1430a155a5f8505a10b8cef46b5e76e3

SHA1
32b5f9f16a596b659fb8eb65dd69e8612d4bb99d

SHA256
fa5d43e1ef7c55731e7f52bf3a09cdff38c00854bec1bb5de152510fa81c332f

SHA512
af2455be86a76e34d6dc385c5d76ac3353417c61f9715b216bf9ef988726dcce2453bf4e1b915ceb43c1e98bb5914e801cb0a89f69898a6b6a434d46a9155138

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad\settings.dat
Filesize
152B

MD5
9c86a01e856d8ed6052ca14bb12a156b

SHA1
3253c6558b16557e02f1ceb67bf90b00aa41fc84

SHA256
f074b3bb1b8f89e6766b535e5887eb5ca3ca9c46ad1a24b3ad48e74a9d7385fb

SHA512
81294d3a9119c4db611d30cd8970e328d3f8eeda1af91999bc20276119af3da8c3ba7fd6596bd0aa2575b60264f9c377f14be4008a1e986e33f07d34b3d2d9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad\settings.dat
Filesize
152B

MD5
a096111c1ff507efa0e6ad3a8817567e

SHA1
57c4d9e641d34a6fa25486fdab706001ad312652

SHA256
0df79a7af412d19e402ea971f27c0b639afdc08330d8b6a224a28cbfd3c2745a

SHA512
acce2231e2ce64160c87e1dec3c316087159179748445b61dc94a9768f8cff51dcbae0ad1b796b617a7e9a447e9ba204c0472870693bc92c919576e0c183126d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad\throttle_store.dat
Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Network Persistent State
Filesize
935B

MD5
7dcb19db40e2d0610b22f4c531f24b78

SHA1
1fb43b2fe614df59e5068605a9bb6ae69fe79813

SHA256
f4c8707e6d6b70abc5c560ac54ce0392cc81627f9be8cae39af3ecea980c80d3

SHA512
975500c92e633cf8f9170f2a74da615651e83021df3549f29a68e8561d7267a7a9793938bc98b765bfbe2b376b203f8c735d44a9340c7bc6919f6fa02e167e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Network Persistent State~RFe59e64f.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Preferences
Filesize
3KB

MD5
9a5c7d514f4e79967da257ee024fae9f

SHA1
cf0947eb01f79f7df8e6355a0f9a0ea244ccdf49

SHA256
3a97e6b022d9498c114d22096e14f9ff256a174678dda76c6728320c8038445a

SHA512
f69fb6e5187a8f201126699b8142f30807ef6dfe32888707f390c4574ec5ebedc665738b8eb8157a878db03c737cf5d3d225390b2106f77f7e5e615a79dfa6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Preferences~RFe59e3de.TMP
Filesize
3KB

MD5
b7734086a0aa992e86464d448ff7d39c

SHA1
50982e63a41928589fd36a963c0015dd5b9594a4

SHA256
974a65055059d23ddd6ec250def85a822a16b86a95f51d914c45317edbbe43a3

SHA512
f47d5aab03dc427c32fffd630dec3dfa0f57c329380a4daaa82547b710a698a9cbcf2a0fe50c1adb1d75ebf852c2f22481caf2dec5cc4a489ff0f7dd58610c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local State
Filesize
8KB

MD5
7d6e8a6e6309960555c72f698ea73b9a

SHA1
976888fe678283cea3b80bfff0dbd507accade2d

SHA256
06144abeca9be10187d0ff318394b8490f8705de4240421241bc02f5ab96877a

SHA512
7c8b209930830d9f0861e8d9f061403dc2c3431e1f2fd08eafaaef98f00dd29da5f6531771118f708f0e8a322ddf6b5c76e5a55bb0ef8b0f50d1e2ef83b4a8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local State~RFe591dcf.TMP
Filesize
8KB

MD5
8a3b56c2f7297381d0a561398f73db24

SHA1
cf877ff1487b277feb6bfb0e8964969da8552cf0

SHA256
2d8b8a4a40cdfa2dcd51be6fa5c13609580d71b5d10e8a36fd9a963e792c0e7c

SHA512
9642dc6c6a21a5a6cf430a8f5fdfb2ac4e52d6966ce00b0372a610d86c2b4d2fbf335f0a3824f744755709b24ae0bf1b2ad470853dff0136a03a3a69fb6bbc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll
Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll
Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
C:\Users\Admin\Downloads\Solara.zip
Filesize
400KB

MD5
20804935c8018d330c47fa7acde89358

SHA1
7e79e69996cf54bf3da5807e37805db03d23f34e

SHA256
65dcaf8699e4d8d8aaa1c177fc49bfe4ff69ad4fd3891d61f68c5239e217cb14

SHA512
7c7cf8a3e6d90376a1a958c57527750c5a04d6d27c90397aac458898a34601a36c5f345afeabaa72f0ece7f3701ac729b68b5bd9f93252552feb4a1f092fc398

Download Submit
C:\Users\Admin\Downloads\Solara.zip:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 573135.crdownload
Filesize
8.4MB

MD5
8450908897067c9527740d735897740b

SHA1
71c993302b3174fe4fd712eaf8886a4842778e42

SHA256
f5a04c5d6ddcb4cc3925656919c37a9ca18f20f3623c722dc45499cf1e4de8a8

SHA512
841d6d732db87ca350dd7f4eda273584810dc976f6a368a141de8ea8d87113e8f8ef92c747ee2fa3dc8f906456e2c2c17b122d3f86dea9042c40acb9170848f8

Download Submit
\??\pipe\crashpad_844_TZPGVKOTWDGDQZXQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1516-2007-0x0000012BE8490000-0x0000012BE84E2000-memory.dmp

Filesize
328KB

Download
memory/2944-2346-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2042-0x000002526C6E0000-0x000002526C792000-memory.dmp

Filesize
712KB

Download
memory/2944-2058-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2059-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2986-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2047-0x000002526D1F0000-0x000002526D26E000-memory.dmp

Filesize
504KB

Download
memory/2944-2045-0x000002526C5D0000-0x000002526C5DE000-memory.dmp

Filesize
56KB

Download
memory/2944-3024-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2060-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2532-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2203-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2848-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2043-0x000002526C5E0000-0x000002526C602000-memory.dmp

Filesize
136KB

Download
memory/2944-2066-0x0000025270540000-0x0000025270578000-memory.dmp

Filesize
224KB

Download
memory/2944-2040-0x000002526C620000-0x000002526C6DA000-memory.dmp

Filesize
744KB

Download
memory/2944-3082-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2039-0x000002526C9B0000-0x000002526CEEC000-memory.dmp

Filesize
5.2MB

Download
memory/2944-3102-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2061-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2003-0x0000025251E00000-0x0000025251E1A000-memory.dmp

Filesize
104KB

Download
memory/2944-3151-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2065-0x000002526C990000-0x000002526C998000-memory.dmp

Filesize
32KB

Download
memory/2944-2356-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-3186-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-3212-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2358-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/2944-2067-0x000002526FF60000-0x000002526FF6E000-memory.dmp

Filesize
56KB

Download
memory/2944-6712-0x0000000180000000-0x0000000180A5B000-memory.dmp

Filesize
10.4MB

Download
memory/3892-538-0x0000000005AA0000-0x0000000005AB2000-memory.dmp

Filesize
72KB

Download
memory/3892-535-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/3892-536-0x0000000004F90000-0x0000000004F9A000-memory.dmp

Filesize
40KB

Download
memory/4136-2088-0x00007FFD3BD30000-0x00007FFD3BD31000-memory.dmp

Filesize
4KB

Download
memory/7456-6749-0x00007FFD3BD20000-0x00007FFD3BD2D000-memory.dmp

Filesize
52KB

Download
memory/7456-6730-0x00007FFD3B510000-0x00007FFD3B530000-memory.dmp

Filesize
128KB

Download
memory/7456-6747-0x00007FFD3BD20000-0x00007FFD3BD2D000-memory.dmp

Filesize
52KB

Download
memory/7456-6716-0x00007FFD3D040000-0x00007FFD3D050000-memory.dmp

Filesize
64KB

Download
memory/7456-6715-0x00007FFD3D040000-0x00007FFD3D050000-memory.dmp

Filesize
64KB

Download
memory/7456-6714-0x00007FFD3CF20000-0x00007FFD3CF30000-memory.dmp

Filesize
64KB

Download
memory/7456-6728-0x00007FFD3B510000-0x00007FFD3B530000-memory.dmp

Filesize
128KB

Download
memory/7456-6748-0x00007FFD3BD20000-0x00007FFD3BD2D000-memory.dmp

Filesize
52KB

Download
memory/7456-6729-0x00007FFD3B510000-0x00007FFD3B530000-memory.dmp

Filesize
128KB

Download
memory/7456-6727-0x00007FFD3B510000-0x00007FFD3B530000-memory.dmp

Filesize
128KB

Download
memory/7456-6726-0x00007FFD3B4F0000-0x00007FFD3B500000-memory.dmp

Filesize
64KB

Download
memory/7456-6725-0x00007FFD3B4F0000-0x00007FFD3B500000-memory.dmp

Filesize
64KB

Download
memory/7456-6750-0x00007FFD3BD20000-0x00007FFD3BD2D000-memory.dmp

Filesize
52KB

Download
memory/7456-6723-0x00007FFD3B460000-0x00007FFD3B470000-memory.dmp

Filesize
64KB

Download
memory/7456-6734-0x00007FFD3A480000-0x00007FFD3A490000-memory.dmp

Filesize
64KB

Download
memory/7456-6742-0x00007FFD3A7C0000-0x00007FFD3A7D0000-memory.dmp

Filesize
64KB

Download
memory/7456-6754-0x00007FFD3BFF0000-0x00007FFD3C000000-memory.dmp

Filesize
64KB

Download
memory/7456-6753-0x00007FFD3BFF0000-0x00007FFD3C000000-memory.dmp

Filesize
64KB

Download
memory/7456-6751-0x00007FFD3BD20000-0x00007FFD3BD2D000-memory.dmp

Filesize
52KB

Download
memory/7456-6717-0x00007FFD3D090000-0x00007FFD3D0C0000-memory.dmp

Filesize
192KB

Download
memory/7456-6724-0x00007FFD3B460000-0x00007FFD3B470000-memory.dmp

Filesize
64KB

Download
memory/7456-6719-0x00007FFD3D090000-0x00007FFD3D0C0000-memory.dmp

Filesize
192KB

Download
memory/7456-6718-0x00007FFD3D090000-0x00007FFD3D0C0000-memory.dmp

Filesize
192KB

Download
memory/7456-6746-0x00007FFD3BCE0000-0x00007FFD3BCF0000-memory.dmp

Filesize
64KB

Download
memory/7456-6745-0x00007FFD3BCE0000-0x00007FFD3BCF0000-memory.dmp

Filesize
64KB

Download
memory/7456-6744-0x00007FFD3BC70000-0x00007FFD3BC80000-memory.dmp

Filesize
64KB

Download
memory/7456-6743-0x00007FFD3BC70000-0x00007FFD3BC80000-memory.dmp

Filesize
64KB

Download
memory/7456-6741-0x00007FFD3A7C0000-0x00007FFD3A7D0000-memory.dmp

Filesize
64KB

Download
memory/7456-6740-0x00007FFD3A7C0000-0x00007FFD3A7D0000-memory.dmp

Filesize
64KB

Download
memory/7456-6739-0x00007FFD3A7A0000-0x00007FFD3A7B0000-memory.dmp

Filesize
64KB

Download
memory/7456-6738-0x00007FFD3A7A0000-0x00007FFD3A7B0000-memory.dmp

Filesize
64KB

Download
memory/7456-6737-0x00007FFD3A7A0000-0x00007FFD3A7B0000-memory.dmp

Filesize
64KB

Download
memory/7456-6736-0x00007FFD3A5F0000-0x00007FFD3A600000-memory.dmp

Filesize
64KB

Download
memory/7456-6735-0x00007FFD3A5F0000-0x00007FFD3A600000-memory.dmp

Filesize
64KB

Download
memory/7456-6752-0x00007FFD3BFF0000-0x00007FFD3C000000-memory.dmp

Filesize
64KB

Download
memory/7456-6733-0x00007FFD3A480000-0x00007FFD3A490000-memory.dmp

Filesize
64KB

Download
memory/7456-6732-0x00007FFD3B600000-0x00007FFD3B60C000-memory.dmp

Filesize
48KB

Download
memory/7456-6731-0x00007FFD3B510000-0x00007FFD3B530000-memory.dmp

Filesize
128KB

Download
memory/7456-6720-0x00007FFD3D090000-0x00007FFD3D0C0000-memory.dmp

Filesize
192KB

Download
memory/7456-6713-0x00007FFD3CF20000-0x00007FFD3CF30000-memory.dmp

Filesize
64KB

Download
memory/7456-6721-0x00007FFD3D090000-0x00007FFD3D0C0000-memory.dmp

Filesize
192KB

Download
memory/7456-6722-0x00007FFD3D120000-0x00007FFD3D129000-memory.dmp

Filesize
36KB

Download