hxxps://workupload[.]com/file/nyhJyeFsQGN

Analysis

max time kernel
80s
max time network
84s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
09-07-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/nyhJyeFsQGN

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
784	Solara.exe
2856	VC_redist.x64.exe
1216	VC_redist.x64.exe
1528	VC_redist.x64.exe
2660	Solara.exe

Loads dropped DLL 2 IoCs

pid	Process
1216	VC_redist.x64.exe
3672	VC_redist.x64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5af95fd8-a22e-458f-acee-c61bd787178e} = "\"C:\\ProgramData\\Package Cache\\{5af95fd8-a22e-458f-acee-c61bd787178e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e587d4d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8440.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF96B06BE938BFD308.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBB6D209E8D7489F8.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e587d3a.msi	msiexec.exe
File created	C:\Windows\Installer\e587d4c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0D7F536EAF2BC4A3.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e587d4d.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9D835DD5012E2C80.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF544EF4E772F62572.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI853B.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F5C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD596F6CCDB226B2F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80B5.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1BDBDBA753449CE1.TMP	msiexec.exe
File created	C:\Windows\Installer\e587d62.msi	msiexec.exe
File created	C:\Windows\Installer\e587d3a.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF50C9582CEF5A1FD6.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bcc5590ebeaf935f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bcc5590e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bcc5590e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbcc5590e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bcc5590e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\PackageCode = "0F1976868EAF8784585CF1DB265C6A81"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\Servicing_Key	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\PackageCode = "A40E8013387385E43AA0F61A9357B166"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Version = "237536274"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-299327586-1226193722-3477828593-1000\{21E5FEE7-53E4-4F87-9A0A-C7D40AC15D8C}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Version = "14.40.33810.0"	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\VC_Runtime_Minimum	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}v14.40.33810\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.40.33810"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\VC_Runtime_Additional	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Servicing_Key	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}v14.40.33810\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 132878.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Solara.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 983536.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VC_redist.x64.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
4868	msedge.exe
4868	msedge.exe
4848	identity_helper.exe
4848	identity_helper.exe
916	msedge.exe
916	msedge.exe
72	msedge.exe
72	msedge.exe
3016	msedge.exe
3016	msedge.exe
4428	msedge.exe
4428	msedge.exe
3552	msiexec.exe
3552	msiexec.exe
3552	msiexec.exe
3552	msiexec.exe
3552	msiexec.exe
3552	msiexec.exe
3552	msiexec.exe
3552	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	4632	vssvc.exe
Token: SeRestorePrivilege	4632	vssvc.exe
Token: SeAuditPrivilege	4632	vssvc.exe
Token: SeShutdownPrivilege	1528	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1528	VC_redist.x64.exe
Token: SeSecurityPrivilege	3552	msiexec.exe
Token: SeCreateTokenPrivilege	1528	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	1528	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	1528	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1528	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	1528	VC_redist.x64.exe
Token: SeTcbPrivilege	1528	VC_redist.x64.exe
Token: SeSecurityPrivilege	1528	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	1528	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	1528	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	1528	VC_redist.x64.exe
Token: SeSystemtimePrivilege	1528	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	1528	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	1528	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	1528	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	1528	VC_redist.x64.exe
Token: SeBackupPrivilege	1528	VC_redist.x64.exe
Token: SeRestorePrivilege	1528	VC_redist.x64.exe
Token: SeShutdownPrivilege	1528	VC_redist.x64.exe
Token: SeDebugPrivilege	1528	VC_redist.x64.exe
Token: SeAuditPrivilege	1528	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	1528	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	1528	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	1528	VC_redist.x64.exe
Token: SeUndockPrivilege	1528	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	1528	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	1528	VC_redist.x64.exe
Token: SeManageVolumePrivilege	1528	VC_redist.x64.exe
Token: SeImpersonatePrivilege	1528	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	1528	VC_redist.x64.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeBackupPrivilege	4680	srtasks.exe
Token: SeRestorePrivilege	4680	srtasks.exe
Token: SeSecurityPrivilege	4680	srtasks.exe
Token: SeTakeOwnershipPrivilege	4680	srtasks.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe
Token: SeTakeOwnershipPrivilege	3552	msiexec.exe
Token: SeRestorePrivilege	3552	msiexec.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
1216	VC_redist.x64.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 5012	4868	msedge.exe	77
PID 4868 wrote to memory of 5012	4868	msedge.exe	77
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2488	4868	msedge.exe	78
PID 4868 wrote to memory of 2712	4868	msedge.exe	79
PID 4868 wrote to memory of 2712	4868	msedge.exe	79
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80
PID 4868 wrote to memory of 3340	4868	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workupload.com/file/nyhJyeFsQGN
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xdc,0x104,0x108,0xe8,0x10c,0x7fffc85f3cb8,0x7fffc85f3cc8,0x7fffc85f3cd8
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:252
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:72
- C:\Users\Admin\Downloads\Solara.exe
  "C:\Users\Admin\Downloads\Solara.exe"
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,15947788913633784252,13084663452220791452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Users\Admin\Downloads\VC_redist.x64.exe
  "C:\Users\Admin\Downloads\VC_redist.x64.exe"
  2⤵
  - Executes dropped EXE
  PID:2856
- - C:\Windows\Temp\{D0197B5E-A1AD-429C-B4C7-62AD70E04395}\.cr\VC_redist.x64.exe
    "C:\Windows\Temp\{D0197B5E-A1AD-429C-B4C7-62AD70E04395}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x64.exe" -burn.filehandle.attached=592 -burn.filehandle.self=600
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:1216
  - - C:\Windows\Temp\{15F374F3-CF74-4E7C-8D21-E27101807FCE}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{15F374F3-CF74-4E7C-8D21-E27101807FCE}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{E8D84EBC-209D-4143-A4BE-7A74F5536364} {EC4C0A19-3223-4146-949A-9E21AA46F9C2} 1216
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:1528
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1004 -burn.embedded BurnPipe.{3905ECC7-EF91-4B4C-842D-914AA5AC0374} {F61500F5-16E8-455B-B6CE-C80B54201E6D} 1528
        5⤵
        
        PID:5064
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=572 -burn.filehandle.self=588 -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1004 -burn.embedded BurnPipe.{3905ECC7-EF91-4B4C-842D-914AA5AC0374} {F61500F5-16E8-455B-B6CE-C80B54201E6D} 1528
        6⤵
        Loads dropped DLL
        
        PID:3672
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{669A7C8E-A446-452C-96BF-1A894DFAE098} {62973085-8EF2-4ED5-A236-1C8D4BAA7AA9} 3672
        7⤵
        Modifies registry class
        
        PID:3412
- C:\Users\Admin\Downloads\Solara.exe
  "C:\Users\Admin\Downloads\Solara.exe"
  2⤵
  - Executes dropped EXE
  PID:2660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587d3f.rbs

Filesize
19KB

MD5
91b28640160245aa945b47772c41b98f

SHA1
bf2db187e690e1864e84a69c5d5708066d0fc760

SHA256
bc7d588dda9e1947e60e55affcb43eedb59b2a3756a398e5b5f32342d84acb92

SHA512
f13c78cdda7bbef861ab8549c56a1228a8fc2f353e3f084bff61fcbc9057e6bf242fe2c7fa4bd3d90550d7d9673dec88a3d412b1e0b4418cf88325dbd983ae0e

Download Submit
C:\Config.Msi\e587d4b.rbs

Filesize
19KB

MD5
c694c80853df526beffafe0360ba2bb4

SHA1
ef73b9c02bfda44607c084e342010b50cd0ccd2e

SHA256
9527509f0e3cea7b6b7eda962870886225e726894a7883dd1aa12661f5b9d19a

SHA512
74309b34f898cba07ad321da6d679910a2f6fc04a599ecae77f4e096a7774b626c2e85cfdba7664b74c249b9f32ed0b30020c63b5328e4287d8d9f3c839bbd78

Download Submit
C:\Config.Msi\e587d52.rbs

Filesize
21KB

MD5
233ef9061d1feb93b35f8373d9fe8ee8

SHA1
b8b1486373ef2f409aae83a90e80974035c3dc41

SHA256
bb15dd4b15d59e79886393dc09c36be81e40a3edc197da36a2517050e24c045f

SHA512
bf2c8bab01a65a64a54bb21ae4c9748fef7dce738465cf91cc57f37e49e38311e924367c890d43c376e3e4690d42a9308fceab119a6afbea92ebb17d1479e9e4

Download Submit
C:\Config.Msi\e587d61.rbs

Filesize
21KB

MD5
ce53aae77c0cf3c2264c9746fc85a440

SHA1
c688bdb1a2323b4f43a44eeff11b2b804cab6e33

SHA256
db3c532fc823261213ed8e140cbba6841343945c57d15519c5a96c5721f03016

SHA512
71402a4a852e8573519fb4970e3d9a9064da30a6b8a201b8e2777aff8ba06c76f10d41770769585efb6447c71d17f9e4a25bf65b35cb274b78aaf54b0a49a3b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8db5917f9989b14874593acc38addada

SHA1
e2f1f19709d00cef4c7b8e1bca9a82855380a888

SHA256
69518d96a22b831de7923bc73ef0ce86cd8394befe8e1c20bf4f95285a15cc63

SHA512
39a70a4207338e819b5dd8dcb5b2b4edaa136a27d51edadac3f76f7de224c54753173a13a55667129f0310b3bbc9f258da0a5b9a7f8b7be6c3c45b64a04e40a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b03d35a1e3ffb7a9f63b3f24a32b8e85

SHA1
878b3c3c4877e1f132819392c12b7de69e1a500a

SHA256
832cc8b01bdcc3a2edda654aed8b35bd35b4b308f2843187157e805c61c90435

SHA512
fe947eea87acd7d8052bf802f5e1e0105379f07f84160ac51b7771c9d03ae0822b5d56e2ef09b13f0a16b53071df3001f4fe4f255307096477d3db2c9671ee23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
cff54d6db471c588de05a6e1e75f091c

SHA1
3d36372e1a675d5da65d86d7ebeaf6b54d5fe71f

SHA256
1ad42e772ae578633b598123d40a6cd44916cbd66495415ee34e7381138343da

SHA512
a560282beee8a9d3ef77e669edd67dc788f408867526c0bd2da78e15e0d57ae0a57328639d576b435d38871a96deb6afa9e97e21e7644c6f0661284f36c71f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
74ba8eeddae443c2b6e7a438aafe6f3a

SHA1
1b63714713fae29ea88a365a19bd59ce6df2a794

SHA256
5ed63faf8bad8aa23271c4c32be5df4e0551ca1ae4cad7f0e5acd2919bd0b187

SHA512
a430f8ab94f6cccf0e9a6ef4ab63fc163a8c6a2c9cd4adc28c03a2916b68c2fd2f2f58ebce27411bc2c526230d32dc7de6589a2f7f93cd745a514a0bd64fc456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
352927b4057317a7fbe0c3f2ceb2fbbf

SHA1
04c699f4e3289063508044ef7962a5006e85751a

SHA256
522e221d7c1198182b906825cdb9c6a1fc9fd3e41a1ab458ae16c17759b5e2e4

SHA512
74b665716e1fd3cfc4e42cec449cffafe64ff4ceb598449548ce4ab873438c00695aaaff4476561b7185108a6576f124919637770a8122655c8956febb6975ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a5d5529bcefd9f5ba84881590ea7f6c

SHA1
cbfd4e47fc52cd3f02026e68b4eb9ef7f30aab48

SHA256
c5dc5b0dfee5263d966e291325e5d599e26fa20cacfb1fde3216cb297dc954de

SHA512
94208dd3a4fb014aec62beeb024ece0775b69a8d312970577b30466317eda885337b189c26f944b0ae45672ecaa5e79c581784f2043e5d993f9632f2d6c24ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
377bb6b163cec33d86c8ed91dec90a46

SHA1
748fb5c5486590af7ce1189afbecf0add9132070

SHA256
102bbe73aa09168acd9f9593221ca96b922a41f70502b005cfb41d0d9082fdf1

SHA512
39288ea6716d09a4f855ef61a4ef9808eaf59a1d9e6a2156d553c53240e046d868f81418fb057f8a0b8e8bbef62b06256e8178051df764a13355a35304f8dbd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5d839744af5af433498e19adcb07669a

SHA1
dc8878b169f6ed73e16eafad1113bd1aa2805947

SHA256
7b24aa9c8bc41ee369dcd805c28d5c077ca847ebabd30254f07cf2e42bdaf4b7

SHA512
ebaad58788709d14075bda3e5ba94e56cae9d4bf2fc93096bcbdcef5ede58a61b101a32e740284b863bc6de6e76f144a20cacb7c7d71f1cf6bf3c29aab3b0987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1478ac00d36599cc19db27833146f10e

SHA1
7b3015599c79d45a553ecbbc3f9dad23498ec740

SHA256
91b33e6af838360d66e04e4973269b0a62e04e471e13081c68240172b5aa4e0c

SHA512
8ef7412601cd5b15fff1761df18760fef15a70f6a36a9b15e267f1f7c4b20cefb07e78f6b40d7c5c49b543f1a3230629d6684681d6e163d475746c1f8ee84b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5833ad.TMP

Filesize
871B

MD5
dd31d1387a76efcf0349ba27ca998e36

SHA1
611a9e9607820aa4847e0444b627771a8fa8a320

SHA256
252b1f7f4bcd7d8255e49088ac701bc9af1f8f7cb05a2d41e0b47775562b56e5

SHA512
83350bc0f5f82e418c40f25234f3fcc8f9ed17ce0889199d8eb063e024f8138fca0d4379b486ee9e9e0a6a5e18bfb915a65055ad04eb48eb1b8b38e2952684ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8975c40be1a4242e69d654e8411acef9

SHA1
1e49966e1d4d215d139c37f306bc18f09164f688

SHA256
151e3757c332cea468dbfbda4b43fe676b42d5effa93d3f1f67a4237e571e7a6

SHA512
bc216530bb4b8c46fa67e6e19228245aefe23f4abb2c53b637c9ebc7676fb471b00bec42be3325fb8491481a460ce63148789e904380a16194b11074e84fc2c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f910baf9659d586a586a1687aa6573a0

SHA1
9cf5c7c939a792fb1bd8e0d2f1cd013dfe905d2f

SHA256
f01e8e9e5116e1f828cb6d8f4684c4afdb1447d8a70a79097db93f2fb33b646f

SHA512
d9d63f729fea8b12e8def9683c1b293357dce968120cc98e9744a0b6215fede06b6e71b0cf8ada78ce90e0fc48cf926e56f417e3c571e36018e9e82e525505a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240709034947_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
acb7e0a86b2e5b3c2ce9a7e5bb936282

SHA1
31831042a6e2bb4d965901c25a6c16b126c77fc1

SHA256
3df573a19a49e6b7994d4a331ab1103317c88cf6ebde87b8789b5aa3361add4f

SHA512
3b49ce498d935d77d34c4ca153fb766bb9d3f5cbc3ac88959355a1980dbc8659f7d77f766dce947205c308afe06c07b62fe20de1826f4c58587e561e9f77fbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240709034947_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
8b3d770a3612bff33decbd901df7e2eb

SHA1
4aa06ce3968b090268a27d99a91111b430cd685d

SHA256
660d9ed3f518f1f2d3a5f7eb7d6364a1a927abe0a5cb97b1d6e5ef328e3b1399

SHA512
b9fcb749dd9d4fbbbfb539de77c2e5880ba47602f873b6f1671d2c6fa3a57dcb1ce21092ac9c4a14009127ef73cf943689f6dec3a266191b5eca6e546f26ed87

Download Submit
C:\Users\Admin\Downloads\Solara.exe:Zone.Identifier

Filesize
120B

MD5
165627177b17ee9f5c99d4702e01927e

SHA1
95a1dad0759122abe249ca7e57410d5f3e0a21d2

SHA256
78544132bc7e856e86066ffd79abe7db01f6433725fb29caba47ac9f2d863586

SHA512
323b074b51d37d4ce7d830ee96fc74d06943959d430d82b69b3953ab5a6cd35ae40cde11065d248f5665df3f5e1db30a9acdc53684000246df7aa53e9a1b5219

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 132878.crdownload

Filesize
101KB

MD5
ea70de335578a3fc5e82acfa70da186e

SHA1
b0b1aaedc73efa83da96800cc6ce8a5f90a4bf46

SHA256
f82638403ec312054538689c5fb88486c71eb78287fe509ba87cb5bb9801dd4b

SHA512
0260ec7ec8cd7753671cba6fa13c6c440cea042b2649ab0cbe9cd9fed1236d388ecf76db6dfce9e596160b140deae7eb6e59d36cf9ec3d873e38cb5500ebe488

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 983536.crdownload

Filesize
24.2MB

MD5
1d545507009cc4ec7409c1bc6e93b17b

SHA1
84c61fadf8cd38016fb7632969b3ace9e54b763a

SHA256
3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a

SHA512
5935b69f5138ac3fbc33813c74da853269ba079f910936aefa95e230c6092b92f6225bffb594e5dd35ff29bf260e4b35f91adede90fdf5f062030d8666fd0104

Download Submit
C:\Users\Admin\Downloads\VC_redist.x64.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Temp\{15F374F3-CF74-4E7C-8D21-E27101807FCE}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{15F374F3-CF74-4E7C-8D21-E27101807FCE}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{15F374F3-CF74-4E7C-8D21-E27101807FCE}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d5a3fd8ad806f66d33d652d5913a95b3

SHA1
7b1bb6cdbe700acc2434dc52c40cdd96a6462a17

SHA256
cc001c20f85e16015e0d23eb0c3a9bc3c3cdcc1adda53f88ac77dd29705ba01a

SHA512
594d710133f44049546c62c3c89614415ad776c24f3ada0a8d1724e6daf27f941eba43a05a096d90cdf51ad51c02462edd6308e2aa393cb8325fde256ed77037

Download Submit
C:\Windows\Temp\{15F374F3-CF74-4E7C-8D21-E27101807FCE}\cab5046A8AB272BF37297BB7928664C9503

Filesize
962KB

MD5
8eccd85b6c4273a28a54b0687feb6a96

SHA1
be791128af5713d407df2f7436ea8de1a80ca725

SHA256
8fafd6d0754ee53125902df1b67ef2db86eb7af4c097522f2fb58443501fecdd

SHA512
9fdcb359a5748d0d920e1e12cf31de42fa224840fd11e5878f7caff7c4495b4facacf1a58cdaf0caadd0d9a3af871870b755245d2c1af33f07f3229b85101da0

Download Submit
C:\Windows\Temp\{15F374F3-CF74-4E7C-8D21-E27101807FCE}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
5fc68510b7425822a9d0928567ffbd1b

SHA1
f506d97ceac3c435ce6bafda7c47d9a35fc57714

SHA256
7489cdde6a0c8aadb3253f22c460c2dc8099ba677f42d46b277f7040327c9b28

SHA512
4dd4d99ace30eb1add9ae225f159f68636d42d1899acb50f616717f05045e402a2bbb76e4d86569a08ae74bb161b3911a73910fcc7044429da34159cf6b9f473

Download Submit
C:\Windows\Temp\{15F374F3-CF74-4E7C-8D21-E27101807FCE}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
0d00edf7e9ad7cfa74f32a524a54f117

SHA1
eea03c0439475a8e4e8e9a9b271faaa554539e18

SHA256
e55a6c147daab01c66aed5e6be0c990bbed0cb78f1c0898373713343ef8556cd

SHA512
0b6730fa8d484466a1ee2a9594572fa40fb8eea4ec70b5d67f5910436ee1d07c80a029cf1f8e488a251439ac1121fd0a76a726836e4cb72dd0fe531ce9692f6a

Download Submit
C:\Windows\Temp\{D0197B5E-A1AD-429C-B4C7-62AD70E04395}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
ae0540106cfd901b091d3d241e5cb4b0

SHA1
97f93b6e00a5069155a52aa5551e381b6b4221eb

SHA256
8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c

SHA512
29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

Download Submit
memory/784-106-0x00007FF70AEA0000-0x00007FF70AECF000-memory.dmp

Filesize
188KB

Download
memory/2660-697-0x00007FF70AEA0000-0x00007FF70AECF000-memory.dmp

Filesize
188KB

Download
memory/3412-600-0x0000000000A60000-0x0000000000AD7000-memory.dmp

Filesize
476KB

Download
memory/3552-698-0x000001F7B1B50000-0x000001F7B2612000-memory.dmp

Filesize
10.8MB

Download
memory/3672-637-0x0000000000A60000-0x0000000000AD7000-memory.dmp

Filesize
476KB

Download
memory/5064-638-0x0000000000A60000-0x0000000000AD7000-memory.dmp

Filesize
476KB

Download