hxxps://url[.]rw/Solara/

Resubmissions

09/08/2024, 22:26

240809-2csyyssdnp 6

09/08/2024, 22:19

240809-18ynmsscjp 10

09/08/2024, 22:18

240809-17yl9asbnp 1

09/08/2024, 22:15

240809-16pyqawcme 3

Analysis

max time kernel
311s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://url.rw/Solara/

Score

10^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4628 created 4612	4628	taskmgr.exe	201
PID 4628 created 4612	4628	taskmgr.exe	201

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3492 created 3516	3492	Be.pif	56
PID 1340 created 3516	1340	Be.pif	56
PID 2332 created 3516	2332	Be.pif	56
PID 2824 created 3516	2824	Be.pif	56

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 10 IoCs

pid	Process
3492	Be.pif
4864	RegAsm.exe
1340	Be.pif
2332	Be.pif
2824	Be.pif
812	RegAsm.exe
924	RegAsm.exe
1056	Be.pif
4612	RegAsm.exe
1904	Be.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates processes with tasklist 1 TTPs 12 IoCs

discovery

Process Discovery

T1057

pid	Process
224	tasklist.exe
1348	tasklist.exe
3560	tasklist.exe
2492	tasklist.exe
4588	tasklist.exe
5016	tasklist.exe
3792	tasklist.exe
4756	tasklist.exe
3932	tasklist.exe
3080	tasklist.exe
4388	tasklist.exe
3788	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EpResearcher	SolaraBootstrapper.exe
File opened for modification	C:\Windows\EpResearcher	SolaraBootstrapper.exe
File opened for modification	C:\Windows\EpResearcher	SolaraBootstrapper.exe
File opened for modification	C:\Windows\EpResearcher	SolaraBootstrapper.exe
File opened for modification	C:\Windows\EpResearcher	SolaraBootstrapper.exe
File opened for modification	C:\Windows\EpResearcher	SolaraBootstrapper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Be.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Be.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Be.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Be.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Be.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Be.pif

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133677156207723247"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3788	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3492	Be.pif
3492	Be.pif
3492	Be.pif
3492	Be.pif
3492	Be.pif
3492	Be.pif
3492	Be.pif
3492	Be.pif
3492	Be.pif
3492	Be.pif
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
4864	RegAsm.exe
1340	Be.pif
1340	Be.pif
1340	Be.pif
1340	Be.pif
1340	Be.pif
1340	Be.pif
2332	Be.pif
2332	Be.pif
2332	Be.pif
2332	Be.pif
2332	Be.pif
2332	Be.pif
2824	Be.pif
2824	Be.pif
2824	Be.pif
2824	Be.pif
2824	Be.pif
2824	Be.pif
1340	Be.pif
1340	Be.pif
1340	Be.pif
1340	Be.pif
2332	Be.pif
2332	Be.pif
2332	Be.pif
2332	Be.pif
812	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe
Token: SeShutdownPrivilege	2852	chrome.exe
Token: SeCreatePagefilePrivilege	2852	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
2852	chrome.exe
3492	Be.pif
3492	Be.pif
3492	Be.pif
1340	Be.pif
1340	Be.pif
1340	Be.pif
2332	Be.pif
2332	Be.pif
2332	Be.pif
2824	Be.pif
2824	Be.pif
2824	Be.pif
1056	Be.pif
1056	Be.pif
1056	Be.pif
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe
4628	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1068	2852	chrome.exe	85
PID 2852 wrote to memory of 1068	2852	chrome.exe	85
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 4020	2852	chrome.exe	87
PID 2852 wrote to memory of 1348	2852	chrome.exe	88
PID 2852 wrote to memory of 1348	2852	chrome.exe	88
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89
PID 2852 wrote to memory of 4844	2852	chrome.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://url.rw/Solara/
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8adeccc40,0x7ff8adeccc4c,0x7ff8adeccc58
    3⤵
    PID:1068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1936 /prefetch:2
    3⤵
    PID:4020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1556,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1972 /prefetch:3
    3⤵
    PID:1348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2432 /prefetch:8
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
    3⤵
    PID:4428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:2620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4340,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4344 /prefetch:1
    3⤵
    PID:4664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4836,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:1
    3⤵
    PID:3200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4888,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:4888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5160,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5136 /prefetch:1
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5368,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5380 /prefetch:8
    3⤵
    PID:1664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5076,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5520 /prefetch:1
    3⤵
    PID:2948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4704 /prefetch:8
    3⤵
    PID:3676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4936,i,7528203251559513518,10719373130664106784,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4932 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3080
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_A2Z46o6wBmjG.zip\ReadMe.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3788
- C:\Users\Admin\AppData\Local\Temp\Temp2_S01ara.zip\Solara\Solara\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp2_S01ara.zip\Solara\Solara\SolaraBootstrapper.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Porn Porn.cmd & Porn.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4588
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1932
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:224
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 298944
      4⤵
      System Location Discovery: System Language Discovery
      PID:5052
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "WeightedStoredZealandHerbs" Ian
      4⤵
      System Location Discovery: System Language Discovery
      PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Thou + ..\Aa + ..\Grant + ..\Characters + ..\Referred + ..\En + ..\Education Z
      4⤵
      System Location Discovery: System Language Discovery
      PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\298944\Be.pif
      Be.pif Z
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:3492
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:944
- C:\Users\Admin\AppData\Local\Temp\298944\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\298944\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe
  "C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe"
  2⤵
  - Drops file in Windows directory
  PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Porn Porn.cmd & Porn.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3788
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:5016
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 298944
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "WeightedStoredZealandHerbs" Ian
      4⤵
      System Location Discovery: System Language Discovery
      PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Thou + ..\Aa + ..\Grant + ..\Characters + ..\Referred + ..\En + ..\Education Z
      4⤵
      System Location Discovery: System Language Discovery
      PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\298944\Be.pif
      Be.pif Z
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:1340
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3928
- C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe
  "C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Porn Porn.cmd & Porn.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3792
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4692
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4756
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 298944
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Thou + ..\Aa + ..\Grant + ..\Characters + ..\Referred + ..\En + ..\Education Z
      4⤵
      System Location Discovery: System Language Discovery
      PID:224
  - - C:\Users\Admin\AppData\Local\Temp\298944\Be.pif
      Be.pif Z
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:2332
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3480
- C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe
  "C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Porn Porn.cmd & Porn.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3532
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1348
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4616
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3560
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 298944
      4⤵
      System Location Discovery: System Language Discovery
      PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Thou + ..\Aa + ..\Grant + ..\Characters + ..\Referred + ..\En + ..\Education Z
      4⤵
      System Location Discovery: System Language Discovery
      PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\298944\Be.pif
      Be.pif Z
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SendNotifyMessage
      PID:2824
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620
- C:\Users\Admin\AppData\Local\Temp\298944\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\298944\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:812
- C:\Users\Admin\AppData\Local\Temp\298944\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\298944\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:924
- C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe
  "C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:64
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Porn Porn.cmd & Porn.cmd & exit
    3⤵
    PID:4000
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3932
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2400
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3080
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 298944
      4⤵
      System Location Discovery: System Language Discovery
      PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Thou + ..\Aa + ..\Grant + ..\Characters + ..\Referred + ..\En + ..\Education Z
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\298944\Be.pif
      Be.pif Z
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SendNotifyMessage
      PID:1056
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1220
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Checks SCSI registry key(s)
  - Suspicious use of SendNotifyMessage
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\298944\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\298944\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4612
- C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe
  "C:\Users\Admin\Documents\S01ara\Solara\Solara\SolaraBootstrapper.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Porn Porn.cmd & Porn.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3396
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2492
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4200
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:4388
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 298944
      4⤵
      System Location Discovery: System Language Discovery
      PID:4652
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "WeightedStoredZealandHerbs" Ian
      4⤵
      System Location Discovery: System Language Discovery
      PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Thou + ..\Aa + ..\Grant + ..\Characters + ..\Referred + ..\En + ..\Education Z
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\298944\Be.pif
      Be.pif Z
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1904
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:4444

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3160

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\5f59c7da91e94374abedb1bae92e7c18 /t 1228 /p 4612
1⤵
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
be1872beb3f858fbd3a4df9c56702476

SHA1
58a18075a9d2154e7d4bd411729964206e2482b2

SHA256
7529b49416167b1162600ccb826661d5f9b2acb4ea932b6cc6923605e74e5aec

SHA512
77de694ce29ff272bd8ab1a8a615e492d4405e210299ada698cb9cf34a2625b094c7baaff7cfc14a2b6e85ffa3dd69ddab632d373b6d78f5d44257b10dfa7b26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
e8dbb8bd207f4a02324d51a557c8e238

SHA1
25152e17d3c3522fe4a6983b2841bc7b3973768d

SHA256
2375f2f33d7d0d9ed9c0e3845b053f3c0fcca2918e175e1f5795b90d93c86a4e

SHA512
2bfbd803c17ba24bfe80b750e435bd7096a42d7e139eb8c5871a58862a57333a36a7ef5d4fa44a082cc888a4c7e21212f2d4db177b2d025982cf496729ae01f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
e56b7ed50dd8574cdbb71b30bc2b5b47

SHA1
395b477ff441f650895cb7200e43fd3dd0fe48a4

SHA256
616e546566937add9452618146e4b1db80f32fa89058f41d22baf79b4f5550f2

SHA512
c5f5b1d9f890e982a65bd2de05cd81d997d783388eba3fb7b4e4e92305b66564c620d603e5b40a74fd4e4ff6255b17dfc21e4a7e9043c16e863a730f6c223872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7788c6282d64f6a679d37a9884d25623

SHA1
0908d13ab3bf6d8ce0c4ecd683799d03765a3600

SHA256
423512b683f6c887b27846ec2df68d2ea7a935a08ac146b2fa3f836f5727dbe3

SHA512
1840919411c3e1c7334124275b3fca223fd6776b5b4e3238e4e46803404aaa167ab5f13fc8d65aec5dcb2f666f83ce25827582cc2bdedf3e6c25b21dfd0e9609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
52e5ad0ab83ede6b88dfa393265794d0

SHA1
42dee4ab385a1e23dbd3ac1cd7d44c5548448a34

SHA256
219cff60208f2c834f1b5abb8410fbb61cf3db255efc10d48f67188680c10708

SHA512
78e957adf3493acd3649bb54063787ad35f1f92740c67486098827d0463c3035171c931a47a0809076c7c158f50e82f6d565791403f8d7460e63d4909f1127a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
935cbd4ab8495ac300615c00a4a2a389

SHA1
0c611b0a23c66147bdaa4954ed7736d6c58c08e5

SHA256
45acee8524a4d3a9a0064e0eb3f569d988dd724ec992f06264013c0ef47582ff

SHA512
c2e722e853c53604f918935cd5fe524292c3723223efad646dc1e05cafa9bedc9816d59aa23741e9f43934cde0dd3b2465d38fdcd3de42941b1120f85b5d16ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
19a9a0dfb9ed7427e9f794d5b812b5b3

SHA1
fa165737f11763acf957d58bdd3162f197f4ac97

SHA256
2cebbe446aa850e08f69ef72e6b5f23d09c65bc3bd043373aaa3e3d2aecd5177

SHA512
30315a9523ba913a5d9a5966fd343e72e96507da90108bee0b4824001127f9d894ccf74f6ccd9c66f1b388bc55ca6ec0a7d7968fd9ca3974532f924f59bbefe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
751c2f541cf914d552904017d0dafe90

SHA1
8a3e19fec4685ef32acd6169517f28dae97fe979

SHA256
5fe3a8e5cbd8921d74941983754aa56c27974c8fa6d4883d1b04709c4e60b9cd

SHA512
b00144a8e21d317e9a68b29d3b26bb21826bc7ca56596f28fc5ce7930a62bfa12d5971cb2b5c095b642245d76206a9b01df9569d32a0b95c537ef9a1c7d1b283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
71dc968c0f5f5b64d3c6e61cfceb611b

SHA1
659cb809fd6fa770aa755c87a56b7ae7aeea50d1

SHA256
f215a8cdff092be663a97381cd14cfe08a3298d3a5f67647527bf16caa9c95a9

SHA512
d59f33958f583b69440f3236f82b8400cdd6248be453faf8d2b8313022c031a04d065b549b48b340af61850b324df512a0f806b760303b689de5be8de83c70f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e67ba630f17614f8e5fa5956d507287f

SHA1
52dd281881c424190154dccc0002364c96b88f55

SHA256
7c6831f6630e797da299bf31d23cad9c692cb4eb4c0e2516f7789b0a55c59a94

SHA512
6cbcf33f1990bfd80dd0ac6f3747acfa0779723b159d17f2ab6ff603ddb2cbd2ee372816e6591f67322a2b4e5b453ef5898f5b16e892581442f46653caf022e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91bf8c5ebba558a98f8214d41f82699b

SHA1
69992a68b941a9d0b94aa48f261c91ef38a38b22

SHA256
98df612d0b27efc080e8120b5798bb0356b044f5daafd1fcd1622f3bf33a84a6

SHA512
7a97a1ffaae33943e3099ba6c553ce82ca7eaf7e57019f11780c70136e7d27303910be9378619873694c348993379732636c4e3c0f271e84649db2ce5346290a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f2ccb9f7ae0ce47ab4bf23491c174e31

SHA1
d9af16e4579f77d9e69b9bcf14b1065c17a25f31

SHA256
031560c444bc37c185af68466d0dffdc2bffd71661d990f9c14af446203de67a

SHA512
44751f7f155b4263eacb1e3a08db0b2694fd75526a403186c5740c56f1cdaaf517ecadc41e12bfa7a2f28b25ded8a1641f7953aa12f4819c860b45e574fc7f94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d7757b12f7268a76a124943e3812f29

SHA1
036bf106aa8cf8730700a0ffe3d45cd1d281ecc1

SHA256
2446855af923c6928b266c203dab3df1a954427e5ed91adf41969e2c883513ed

SHA512
030ab2897152162c1bba0a185c5cff680e9ac8b199a58eb7145a7b252cc0e430028583fecb8fd15b59e0c7737a53e0b813eb291c1c4867e480390fb5d83ea401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf0736a16d451b01db98758ae778a42d

SHA1
6afdec3298b410a286000ee6eddce9e2760badcb

SHA256
b3186829387fe7d6e0027def8a0d8710f32260e78dc8f20e934c7b92de508f50

SHA512
99c1c260500af040c9e9c4b3d90bd7af5988f52aabc905b3480a80baf60ad4ad985b74da3c12566601ffedaa365d4882bd61c0859d311608536dd0190a5db1a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
84ab8a19b027a7ef9dc016bfacfcb02d

SHA1
9453cedbc14c6895e45024944186d3a2197e0a51

SHA256
0b87015db70051c89522aaced5f996434d98839a763f2d3b950e1cf65cb88184

SHA512
af15f3802cb825b2f03dc06d80eac606ffd3b4244a02e935877e94f3a22b9568d472cce35821ecfc3b85c0f8fcb4ea6a4e38d61e978def934ecade55c46d64d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
16cfbcc3fb4c8170a8115a8f90e7e5df

SHA1
4b6c604442795cf184c58de61918fe07cf4657b9

SHA256
8b8504dd0c2ddf6cee0dacf48fbfbcb404d0efd90493ee8ab18b1c68492107f1

SHA512
e472a00e967f093c7d441e4865397f67e5cff4d7fafaea387c811afd3f56fd80dcc5c528cf5d275e7b3257e5529a23268ea893861fe5894b5ec4cfe22cb0512b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1f1d356a414739b88f3166513123fdd

SHA1
9db8e4ac678b9f2fb7cac50a5f0a187dc631bf77

SHA256
a4937811234b9ac2a46c6e7be09c47240339db40ca3cce44ca09d567f002c51e

SHA512
e111f3a03c13194f5b209c3262f638d02822c146aa67eca918abe7696adac87c31458b6d268a66302824271f5333d29e3b7bc37b54846dfd099f8a16e363ea37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
855742ea151e875af6e00c63dd8de69b

SHA1
557f58fd76a253080f92ead1d656010b5fbc2f4d

SHA256
addeb18b4bb2f9990bff0ab849811c7428c72b47268d8f88ac7d1850b6e4c03b

SHA512
eabf828c21160aaafd61bbc573f3cb1a565215cd1c5df121f17fb3272f348093f997358a8b41a0d09bcc91cdc29399ceaec8a1711005bfae92b1072d68ac83b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
04575d8737ffc376997bb2013e147650

SHA1
8d25750cacc2ba7aa0b59cee4ef819cb57198fbe

SHA256
bd1fa3d75362091d4c56d4fe0045e6e8073d2506b9240458f563b00bdf364c4c

SHA512
144203898a3735b17106780bb6ac854f89f3f7bee762e29dfe0991cb7bdf80b875da763ddd9ce5f6367e530fe970bb5122f4b868c5f8adb89682ae1661b381f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
00a937872d4c9f9046cf929ff4095d13

SHA1
fc19a87e2725ec1434d4947d80fedb114df7f7df

SHA256
dc6ef8a92f7d7d32686a2d9e40cbd586c4fd63e4e84afaa147dc923b0f64b015

SHA512
0b7044ed980b7ec848f61ec978c161392ef980e07e7917a33c3cc72e3945b9ac755ff3b082cfce809d33d5e7c6e40dd177c29eb8368a7d71a830ce644fe8e91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\298944\Be.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\298944\Be.pif

Filesize
905B

MD5
b029a019b9eef746acb86d2e8118dcf7

SHA1
44f0942c9aed080c0d7095b32208a6a72878c196

SHA256
20a7d39b29ea01ae1eebf0caeaba4d10c49be5ce9fb7f7e9a1ca07d37870be14

SHA512
485ab84b769771f2d83afa175512a90011bc16ba96fe0ba165dd0530b9abcc794212177a4a56b84a5c44870298ec726f998216b209fbf2a39faf2801cee1c482

Download Submit
C:\Users\Admin\AppData\Local\Temp\298944\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\298944\Z

Filesize
513KB

MD5
3bdf77899cf883deb8c0d72b9046b039

SHA1
55c6b607f88e7129b9a9da3c86e3e42a379c51dc

SHA256
d808eb927b1b0f549c9f0b2d9587c0bda4ed55eead9d29f3a267c67b10500155

SHA512
94d8eb369203c8dc96e13286263dfb6738746af7af1e7b0e18b81d83b18af1b2399a5e11860be986f825ca7d9c6ba4623ca25f0f265ae045a93318fa893e345d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aa

Filesize
76KB

MD5
323a3758b48522c0315942bffbdad075

SHA1
34b7b81fd3ed9f51582ed933e337959b269240bb

SHA256
419328b3764936caf2680d09cd3685fbf67e66da757b803bc88b5bc55438846d

SHA512
6a48c69388faf6a86f70518737322f32246e8cfb3a7a881f5d176b834ba141047ed175720aef6190d0a5c12e15ce94159bae2d6633bc8129b9d0d850a0f34636

Download Submit
C:\Users\Admin\AppData\Local\Temp\Characters

Filesize
65KB

MD5
7f8070697e951896b4fcccca068e158e

SHA1
75da10196a4fc53178cf7a2eb064512e5ea9aeac

SHA256
879d4c9459f6935a8eb597dcbdeef2b31a94f71d49386b3559294fd1768a592d

SHA512
c138507727a236c447e0ed443be5049c06da0b9362d631f7ed294466a79e99331aeda40142981ec44f882ce369a978992a25621e7b3612faa009b85cc9e79c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Education

Filesize
58KB

MD5
8f67fce57d62ffb6a54acd7530562554

SHA1
2fcc7965ed3a01845d495d19f2a28fc27f1084f4

SHA256
5393dd3a0c1dcf9900f4b22a418ace3c6471b5cc7e0944271600ba92c0824dbd

SHA512
f66817b5b3a36d9c36830b18de9ea03e1ad5946b95f27cb82fc81170556fb47fb0a95e8f5ff336c4083d7832cbed48d50c6a6ceaceabc2df793a5688bbd6f7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\En

Filesize
80KB

MD5
20d33058a54a8012deb1c15454e74350

SHA1
67fa3c6d9cea452add451f4cec376d0d92adc1fd

SHA256
1191b0a47dc7f89da5c7e2c46a1e27999667b78a51259c1de43351a68dc1c9a8

SHA512
a3bbad05aef10533a367054743a89ec9bd492c394833ef72b21331ba4439d7466d4e42e6be34ed274e21aeeb4e5a4d24419981af35d8c6e1477abb041b4380b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grant

Filesize
81KB

MD5
7d3262e991e7f6fb42adc3175f916869

SHA1
0e0c53c14e72b0aaf7ea4e77102fa1ebe450023c

SHA256
d1ed64d145c6f3c28657a463883dc1de03b36a4752c4621bded163400c569a0e

SHA512
e2f06f182f7af79c3141f25c6cb6add3a46b92afd6d5390d0f4d0feed98c8b36d3bdac1be396439f40295e234c95a0709875dff4239d5c8c0f8d869d8da6ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ian

Filesize
933B

MD5
14cb194102df0193885bc929e1858ab5

SHA1
cc11c10e1202dd59bcccd56ff9da725dd9c2b9ad

SHA256
6a73a096c522a20809bb5e7203f2ad8cd218609796caeac5cb73a5fb2ee6f985

SHA512
f7ba5b715d04b97c27f7f30bd6ea32a70a5bc2e50b343986b3c78adfa8aa887ea7469eba0301548d2153c1c9ae705c278d269a37236b1d23c81f2533477883b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Porn

Filesize
8KB

MD5
24ac788ef0fff40cf7cc1a040be1e708

SHA1
19d17bc249a93ffa450c77829bd208f5d4c7d2fd

SHA256
3e0692494583e9435c1c3878bac8a59f49d5f15c5d88de42ceb81ee3aef1dd64

SHA512
c0bf9c71cf8a088d228539b9b18384b8c6eae6dfcf97466aa87adc23dc0010d5f487381283b66e629faaccda6ab75a42d13511183f5a50ad9a52f23b0bbe4dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Referred

Filesize
90KB

MD5
48878d439a04a605d375d0f3cfaf85df

SHA1
e85182a20d0f2d0b392cce0c7a6268fddf2d5eda

SHA256
847da5638d6c03ab3de955c3a1090340cea8f0867a26cc6121b7c3c105ad7642

SHA512
1a5bc6ed9177f198d4c97e848636ae9fc76193116d13307f810ca974d091df2fc5abc2e4e3a794a1c748360abf98d41f2153ac1beb6d8fc6fbe292bc0e8440ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ten

Filesize
871KB

MD5
1321fe4ce7f15b0d9b96735777ab0a75

SHA1
b97fe8c771d517dba8e6de71418cf4fb39ec476e

SHA256
fb1d3e5ee3bd810fd91b550e271d38fa2c5bf8792bcce0496ce3f5a7bb2367e1

SHA512
61f375f7a3a948e796fa7538252bd1642c2024c136ac704b4d65ae523a871b3b7de604b8095d9223454f6bcac93d435ff83fcbeb708497a7f3a652e63a1ff376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thou

Filesize
63KB

MD5
ea441cd3efc9ea716d57f93e1b8c42a3

SHA1
4053ab58dd66c954c53f4b2f3ddc130804a17893

SHA256
d1bf18307bfc729fe7c6ebbd5ffdfa1c00dba7cc2adab1ca44619e13d8434407

SHA512
83d83d2358cf723908524d5c17da22202dad45b38735e11a090f4a66fe644f4706454e00da52bc3afd5a1ffe2f4d51d92b23b8e2be4db152c7c6949f0c410b6c

Download Submit
memory/812-356-0x00000000089A0000-0x00000000089EC000-memory.dmp

Filesize
304KB

Download
memory/812-355-0x0000000001100000-0x0000000001168000-memory.dmp

Filesize
416KB

Download
memory/924-357-0x0000000000B80000-0x0000000000BE8000-memory.dmp

Filesize
416KB

Download
memory/4612-383-0x00000000080C0000-0x000000000810C000-memory.dmp

Filesize
304KB

Download
memory/4628-369-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4628-376-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4628-378-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4628-379-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4628-380-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4628-381-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4628-377-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4628-375-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4628-370-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4628-371-0x0000029E94480000-0x0000029E94481000-memory.dmp

Filesize
4KB

Download
memory/4864-275-0x00000000094A0000-0x00000000094BE000-memory.dmp

Filesize
120KB

Download
memory/4864-269-0x00000000084E0000-0x00000000085EA000-memory.dmp

Filesize
1.0MB

Download
memory/4864-266-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/4864-267-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/4864-268-0x0000000008960000-0x0000000008F78000-memory.dmp

Filesize
6.1MB

Download
memory/4864-278-0x000000000A8A0000-0x000000000ADCC000-memory.dmp

Filesize
5.2MB

Download
memory/4864-277-0x000000000A1A0000-0x000000000A362000-memory.dmp

Filesize
1.8MB

Download
memory/4864-265-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/4864-274-0x00000000094E0000-0x0000000009556000-memory.dmp

Filesize
472KB

Download
memory/4864-273-0x00000000091F0000-0x0000000009256000-memory.dmp

Filesize
408KB

Download
memory/4864-272-0x00000000085F0000-0x000000000863C000-memory.dmp

Filesize
304KB

Download
memory/4864-271-0x0000000008470000-0x00000000084AC000-memory.dmp

Filesize
240KB

Download
memory/4864-270-0x0000000008410000-0x0000000008422000-memory.dmp

Filesize
72KB

Download
memory/4864-262-0x0000000000D00000-0x0000000000D68000-memory.dmp

Filesize
416KB

Download