Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://workupload.c...

windows10-2004-x64

10

Analysis

  • max time kernel
    230s
  • max time network
    234s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://workupload.com/file/ty2zQM4Rkn5

Score
10/10
dcratgurcudiscoveryevasionexecutioninfostealerratstealerthemidatrojan

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7486279703:AAFP9Nx-Gdv4hjP4gueXGNJc291UkmgSDjA/sendMessage?chat_id=945098073

Signatures

  • DcRat 49 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 22 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 15 IoCs
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Blocklisted process makes network request 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 21 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • cURL User-Agent 8 IoCs

    Uses User-Agent string associated with cURL utility.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workupload.com/file/ty2zQM4Rkn5
    1⤵
    • DcRat
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffe899d46f8,0x7ffe899d4708,0x7ffe899d4718
      2⤵
        PID:4628
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        2⤵
          PID:1388
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4528
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
          2⤵
            PID:3180
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
            2⤵
              PID:4768
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
              2⤵
                PID:3552
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
                2⤵
                  PID:4324
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
                  2⤵
                    PID:4512
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
                    2⤵
                      PID:500
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
                      2⤵
                        PID:1976
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
                        2⤵
                          PID:4008
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3404
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
                          2⤵
                            PID:3144
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
                            2⤵
                              PID:1484
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
                              2⤵
                                PID:3884
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
                                2⤵
                                  PID:1508
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
                                  2⤵
                                    PID:4008
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
                                    2⤵
                                      PID:3144
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
                                      2⤵
                                        PID:5440
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
                                        2⤵
                                          PID:5448
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6036 /prefetch:8
                                          2⤵
                                            PID:5640
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
                                            2⤵
                                              PID:5648
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:8
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:5660
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1272 /prefetch:1
                                              2⤵
                                                PID:6176
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
                                                2⤵
                                                  PID:5932
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2996 /prefetch:8
                                                  2⤵
                                                    PID:7124
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6300 /prefetch:8
                                                    2⤵
                                                    • Modifies registry class
                                                    PID:216
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
                                                    2⤵
                                                      PID:3816
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
                                                      2⤵
                                                        PID:4160
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
                                                        2⤵
                                                          PID:6744
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
                                                          2⤵
                                                            PID:2032
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
                                                            2⤵
                                                            • Modifies registry class
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2784
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
                                                            2⤵
                                                              PID:6980
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:1
                                                              2⤵
                                                                PID:5476
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
                                                                2⤵
                                                                  PID:4232
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
                                                                  2⤵
                                                                    PID:6948
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
                                                                    2⤵
                                                                      PID:6060
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8267308429242641738,16186764611459466332,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6968 /prefetch:2
                                                                      2⤵
                                                                        PID:2408
                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                      1⤵
                                                                        PID:2956
                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                        1⤵
                                                                          PID:60
                                                                        • C:\Windows\System32\rundll32.exe
                                                                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                          1⤵
                                                                            PID:5956
                                                                          • C:\Program Files\7-Zip\7zG.exe
                                                                            "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SolaraNew\" -spe -an -ai#7zMap22929:80:7zEvent18942
                                                                            1⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            • Suspicious use of FindShellTrayWindow
                                                                            PID:6104
                                                                          • C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe
                                                                            "C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe"
                                                                            1⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1484
                                                                            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:5240
                                                                            • C:\Users\Admin\AppData\Local\Temp\explorer.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
                                                                              2⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Modifies registry class
                                                                              PID:5192
                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\runtimedll\FNSj17Htppfg4k3A3UQDZrtMDVU.vbe"
                                                                                3⤵
                                                                                • Checks computer location settings
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5768
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtimedll\Dys66TczvhbessmMKj4WgmTuE0u8f.bat" "
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4884
                                                                                  • C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe"
                                                                                    5⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in Program Files directory
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5656
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5580
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5240
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1908
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5140
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\services.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5964
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:64
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1508
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\cmd.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5236
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1488
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2780
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TrustedInstaller.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2320
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\backgroundTaskHost.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5996
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4408
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\123.0.6312.123\fontdrvhost.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:6084
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:4236
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\RuntimeBroker.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:6128
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\RuntimeBroker.exe'
                                                                                      6⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:6124
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6J9oWuSia.bat"
                                                                                      6⤵
                                                                                        PID:3200
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          7⤵
                                                                                            PID:6960
                                                                                          • C:\Recovery\WindowsRE\TrustedInstaller.exe
                                                                                            "C:\Recovery\WindowsRE\TrustedInstaller.exe"
                                                                                            7⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:6892
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1392
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:6132
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5220
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3756
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2956
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4756
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4264
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3588
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3644
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\services.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1396
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\services.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1992
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\services.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3964
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3564
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4696
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:6108
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1736
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3592
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3264
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\cmd.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4968
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\cmd.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4948
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\cmd.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2724
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5588
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1612
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3200
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5164
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5180
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5148
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3568
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3848
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5124
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\backgroundTaskHost.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5184
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5048
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5696
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5840
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5676
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5712
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\fontdrvhost.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4336
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2016
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:552
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5248
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4748
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:436
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5104
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4328
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5660
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\RuntimeBroker.exe'" /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2736
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5984
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • DcRat
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5592
                                                                              • C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe
                                                                                "C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe"
                                                                                1⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3216
                                                                                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:5616
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 1688
                                                                                    3⤵
                                                                                    • Program crash
                                                                                    PID:1884
                                                                                • C:\Users\Admin\AppData\Local\Temp\explorer.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
                                                                                  2⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry class
                                                                                  PID:4476
                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\runtimedll\FNSj17Htppfg4k3A3UQDZrtMDVU.vbe"
                                                                                    3⤵
                                                                                    • Checks computer location settings
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:6648
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtimedll\Dys66TczvhbessmMKj4WgmTuE0u8f.bat" "
                                                                                      4⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2348
                                                                                      • C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe"
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2716
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5616 -ip 5616
                                                                                1⤵
                                                                                  PID:3004
                                                                                • C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe
                                                                                  "C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe"
                                                                                  1⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:940
                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                                                    2⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:6140
                                                                                    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\svchost.exe" --isUpdate true
                                                                                      3⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:6872
                                                                                      • C:\Windows\System32\msiexec.exe
                                                                                        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
                                                                                        4⤵
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3816
                                                                                  • C:\Users\Admin\AppData\Local\Temp\explorer.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
                                                                                    2⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:5324
                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\runtimedll\FNSj17Htppfg4k3A3UQDZrtMDVU.vbe"
                                                                                      3⤵
                                                                                      • Checks computer location settings
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:6776
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtimedll\Dys66TczvhbessmMKj4WgmTuE0u8f.bat" "
                                                                                        4⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:3644
                                                                                        • C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe"
                                                                                          5⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:6912
                                                                                • C:\Windows\system32\msiexec.exe
                                                                                  C:\Windows\system32\msiexec.exe /V
                                                                                  1⤵
                                                                                  • Blocklisted process makes network request
                                                                                  • Enumerates connected drives
                                                                                  • Drops file in Program Files directory
                                                                                  • Drops file in Windows directory
                                                                                  • Modifies data under HKEY_USERS
                                                                                  • Modifies registry class
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:5184
                                                                                  • C:\Windows\System32\MsiExec.exe
                                                                                    C:\Windows\System32\MsiExec.exe -Embedding 1F874C7361E07C8FEA02D7A9BAAC8602
                                                                                    2⤵
                                                                                    • Loads dropped DLL
                                                                                    PID:1028
                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding 4DF89F158F5A7CF00116A528B2580F8D
                                                                                    2⤵
                                                                                    • Loads dropped DLL
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2980
                                                                                  • C:\Windows\syswow64\MsiExec.exe
                                                                                    C:\Windows\syswow64\MsiExec.exe -Embedding 0AA6A4C47FA3C6A71D06391583E7340E E Global\MSI0000
                                                                                    2⤵
                                                                                    • Loads dropped DLL
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:3384
                                                                                    • C:\Windows\SysWOW64\wevtutil.exe
                                                                                      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
                                                                                      3⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:1996
                                                                                      • C:\Windows\System32\wevtutil.exe
                                                                                        "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
                                                                                        4⤵
                                                                                          PID:1060
                                                                                  • C:\Windows\system32\taskmgr.exe
                                                                                    "C:\Windows\system32\taskmgr.exe" /4
                                                                                    1⤵
                                                                                    • Checks SCSI registry key(s)
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                    • Suspicious use of SendNotifyMessage
                                                                                    PID:5564
                                                                                  • C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe
                                                                                    "C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe"
                                                                                    1⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1028
                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:6600
                                                                                      • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\svchost.exe" --isUpdate true
                                                                                        3⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        PID:4892
                                                                                        • C:\Program Files\nodejs\node.exe
                                                                                          "node" -v
                                                                                          4⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:5224
                                                                                        • C:\ProgramData\Solara\Solara.exe
                                                                                          "C:\ProgramData\Solara\Solara.exe"
                                                                                          4⤵
                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                          • Checks BIOS information in registry
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Checks whether UAC is enabled
                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                          PID:4008
                                                                                          • C:\Program Files\nodejs\node.exe
                                                                                            "node" "C:\ProgramData\Solara\Monaco\fileaccess\index.js" 95355066efb9462b
                                                                                            5⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:1324
                                                                                    • C:\Users\Admin\AppData\Local\Temp\explorer.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Modifies registry class
                                                                                      PID:2988
                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\runtimedll\FNSj17Htppfg4k3A3UQDZrtMDVU.vbe"
                                                                                        3⤵
                                                                                        • Checks computer location settings
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:6640
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtimedll\Dys66TczvhbessmMKj4WgmTuE0u8f.bat" "
                                                                                          4⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5532
                                                                                          • C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe"
                                                                                            5⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:6416
                                                                                  • C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe
                                                                                    "C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe"
                                                                                    1⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:6828
                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:6256
                                                                                      • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\svchost.exe" --isUpdate true
                                                                                        3⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        PID:4964
                                                                                        • C:\Program Files\nodejs\node.exe
                                                                                          "node" -v
                                                                                          4⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:3596
                                                                                        • C:\ProgramData\Solara\Solara.exe
                                                                                          "C:\ProgramData\Solara\Solara.exe"
                                                                                          4⤵
                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                          • Checks BIOS information in registry
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Checks whether UAC is enabled
                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                          PID:4448
                                                                                          • C:\Program Files\nodejs\node.exe
                                                                                            "node" "C:\ProgramData\Solara\Monaco\fileaccess\index.js" 6d4684e3d4e74ff8
                                                                                            5⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:5212
                                                                                    • C:\Users\Admin\AppData\Local\Temp\explorer.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:5708
                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\runtimedll\FNSj17Htppfg4k3A3UQDZrtMDVU.vbe"
                                                                                        3⤵
                                                                                        • Checks computer location settings
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:6740
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtimedll\Dys66TczvhbessmMKj4WgmTuE0u8f.bat" "
                                                                                          4⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:6868
                                                                                          • C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe"
                                                                                            5⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:4288

                                                                                  Network

                                                                                  MITRE ATT&CK Enterprise v15

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads

                                                                                  • C:\Config.Msi\e59f41d.rbs
                                                                                    Filesize

                                                                                    1.0MB

                                                                                    MD5

                                                                                    db1412a4d6247300ccf381475b798059

                                                                                    SHA1

                                                                                    5d107f062da7c77f6fc5c05c0390585f8b74479d

                                                                                    SHA256

                                                                                    8da8414bc8eb316df188f9309ad9a65dc7807afe7707419859141d18977a3d8a

                                                                                    SHA512

                                                                                    82223b3ef8a7f0923e481c30f6f0faf9a5004ba8249105cc3443c83772c6c226494190f9f8e3318d543c8d9b0ea7eb83d1332ee0345ec187afdb4c94a5ad6167

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md
                                                                                    Filesize

                                                                                    818B

                                                                                    MD5

                                                                                    2916d8b51a5cc0a350d64389bc07aef6

                                                                                    SHA1

                                                                                    c9d5ac416c1dd7945651bee712dbed4d158d09e1

                                                                                    SHA256

                                                                                    733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

                                                                                    SHA512

                                                                                    508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license
                                                                                    Filesize

                                                                                    1KB

                                                                                    MD5

                                                                                    5ad87d95c13094fa67f25442ff521efd

                                                                                    SHA1

                                                                                    01f1438a98e1b796e05a74131e6bb9d66c9e8542

                                                                                    SHA256

                                                                                    67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

                                                                                    SHA512

                                                                                    7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE
                                                                                    Filesize

                                                                                    754B

                                                                                    MD5

                                                                                    d2cf52aa43e18fdc87562d4c1303f46a

                                                                                    SHA1

                                                                                    58fb4a65fffb438630351e7cafd322579817e5e1

                                                                                    SHA256

                                                                                    45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

                                                                                    SHA512

                                                                                    54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md
                                                                                    Filesize

                                                                                    771B

                                                                                    MD5

                                                                                    e9dc66f98e5f7ff720bf603fff36ebc5

                                                                                    SHA1

                                                                                    f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

                                                                                    SHA256

                                                                                    b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

                                                                                    SHA512

                                                                                    8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE
                                                                                    Filesize

                                                                                    730B

                                                                                    MD5

                                                                                    072ac9ab0c4667f8f876becedfe10ee0

                                                                                    SHA1

                                                                                    0227492dcdc7fb8de1d14f9d3421c333230cf8fe

                                                                                    SHA256

                                                                                    2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

                                                                                    SHA512

                                                                                    f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json
                                                                                    Filesize

                                                                                    1KB

                                                                                    MD5

                                                                                    d116a360376e31950428ed26eae9ffd4

                                                                                    SHA1

                                                                                    192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

                                                                                    SHA256

                                                                                    c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

                                                                                    SHA512

                                                                                    5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE
                                                                                    Filesize

                                                                                    802B

                                                                                    MD5

                                                                                    d7c8fab641cd22d2cd30d2999cc77040

                                                                                    SHA1

                                                                                    d293601583b1454ad5415260e4378217d569538e

                                                                                    SHA256

                                                                                    04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

                                                                                    SHA512

                                                                                    278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js
                                                                                    Filesize

                                                                                    16KB

                                                                                    MD5

                                                                                    bc0c0eeede037aa152345ab1f9774e92

                                                                                    SHA1

                                                                                    56e0f71900f0ef8294e46757ec14c0c11ed31d4e

                                                                                    SHA256

                                                                                    7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

                                                                                    SHA512

                                                                                    5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE
                                                                                    Filesize

                                                                                    780B

                                                                                    MD5

                                                                                    b020de8f88eacc104c21d6e6cacc636d

                                                                                    SHA1

                                                                                    20b35e641e3a5ea25f012e13d69fab37e3d68d6b

                                                                                    SHA256

                                                                                    3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

                                                                                    SHA512

                                                                                    4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE
                                                                                    Filesize

                                                                                    763B

                                                                                    MD5

                                                                                    7428aa9f83c500c4a434f8848ee23851

                                                                                    SHA1

                                                                                    166b3e1c1b7d7cb7b070108876492529f546219f

                                                                                    SHA256

                                                                                    1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

                                                                                    SHA512

                                                                                    c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts
                                                                                    Filesize

                                                                                    4KB

                                                                                    MD5

                                                                                    f0bd53316e08991d94586331f9c11d97

                                                                                    SHA1

                                                                                    f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

                                                                                    SHA256

                                                                                    dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

                                                                                    SHA512

                                                                                    fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

                                                                                    Download Submit

                                                                                  • C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE
                                                                                    Filesize

                                                                                    771B

                                                                                    MD5

                                                                                    1d7c74bcd1904d125f6aff37749dc069

                                                                                    SHA1

                                                                                    21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

                                                                                    SHA256

                                                                                    24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

                                                                                    SHA512

                                                                                    b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

                                                                                    Download Submit

                                                                                  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url
                                                                                    Filesize

                                                                                    168B

                                                                                    MD5

                                                                                    db7dbbc86e432573e54dedbcc02cb4a1

                                                                                    SHA1

                                                                                    cff9cfb98cff2d86b35dc680b405e8036bbbda47

                                                                                    SHA256

                                                                                    7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

                                                                                    SHA512

                                                                                    8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

                                                                                    Download Submit

                                                                                  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url
                                                                                    Filesize

                                                                                    133B

                                                                                    MD5

                                                                                    35b86e177ab52108bd9fed7425a9e34a

                                                                                    SHA1

                                                                                    76a1f47a10e3ab829f676838147875d75022c70c

                                                                                    SHA256

                                                                                    afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

                                                                                    SHA512

                                                                                    3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                    Filesize

                                                                                    2KB

                                                                                    MD5

                                                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                                                    SHA1

                                                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                    SHA256

                                                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                    SHA512

                                                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                    Filesize

                                                                                    152B

                                                                                    MD5

                                                                                    111c361619c017b5d09a13a56938bd54

                                                                                    SHA1

                                                                                    e02b363a8ceb95751623f25025a9299a2c931e07

                                                                                    SHA256

                                                                                    d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

                                                                                    SHA512

                                                                                    fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                    Filesize

                                                                                    152B

                                                                                    MD5

                                                                                    983cbc1f706a155d63496ebc4d66515e

                                                                                    SHA1

                                                                                    223d0071718b80cad9239e58c5e8e64df6e2a2fe

                                                                                    SHA256

                                                                                    cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

                                                                                    SHA512

                                                                                    d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
                                                                                    Filesize

                                                                                    37KB

                                                                                    MD5

                                                                                    27eec7e8f48ac0d64e62ec535a19ed37

                                                                                    SHA1

                                                                                    0454ae16951154ff4d64dc2dd20f780b6da87ee8

                                                                                    SHA256

                                                                                    9107d29b79f5c0e9d7ac88f893e0afb7c672d536b2e41de469172c8b7366e3d0

                                                                                    SHA512

                                                                                    f93033661c1974d9225b7e05543d7efe62574567abf7bdbb982b36e5b0be658937a7128de10376f9e39c20a2d40688862fa0e76aa53b0b8c87b99ee536fbb175

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
                                                                                    Filesize

                                                                                    18KB

                                                                                    MD5

                                                                                    af73a83498e939379445066f4be6686b

                                                                                    SHA1

                                                                                    bd5fb87bbb126fd672ec96b3a17e85ef92f8bcdc

                                                                                    SHA256

                                                                                    680fce4f4484948006f144bbabcbbc43b898e82ffe80b1f36b2a381f48507585

                                                                                    SHA512

                                                                                    e923a671dd7b9f2a3ee90b93eda9ec5dad3e4084053cb6c0a2002f02a4fdb0706f9d5c1859a8c2495ba08c6d6f641ca77dcab41987d1da08f8c0395a9e5cdd6f

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
                                                                                    Filesize

                                                                                    51KB

                                                                                    MD5

                                                                                    17a9abc039770db755b06a244d08404d

                                                                                    SHA1

                                                                                    ad305806b6274f042f1263776f2746e7b2eaf5e2

                                                                                    SHA256

                                                                                    c02dd84f3794dedd30efcbd0ae0ef8217c26da6e507622f6f3b37911cd611154

                                                                                    SHA512

                                                                                    efc3b957141e1d6f029d3f462064d27bb9dfb458d176a7b60dfc7d732230e43fb205ce92e0d7d69d13aa3823b3f42aa1822926647830c3e42c1c4203fe39a805

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
                                                                                    Filesize

                                                                                    31KB

                                                                                    MD5

                                                                                    90c022b118f9919292cc52a166353f69

                                                                                    SHA1

                                                                                    9a25aa3e19d7d8d459caad3cc9f16cd0d48f5ff1

                                                                                    SHA256

                                                                                    68e95b8d43f7bf6631f93617ccdc179e5abbc221da9976d2dfd9277952753063

                                                                                    SHA512

                                                                                    b05e2e696f99a583c474d8638cc7940413811e8151ab50a605647e2777781b8f9a6e6ed9830492d72c5ea120c24d3fbae0cbe47ba11cd984a31335060773aed7

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
                                                                                    Filesize

                                                                                    20KB

                                                                                    MD5

                                                                                    9985fae88748763dcbaeb52cd5bb1c97

                                                                                    SHA1

                                                                                    db05d8e97e2cc2979c5a33ff1358749f996c9d40

                                                                                    SHA256

                                                                                    a7c300f3096bcbb9cf24d472c9513ea876572eb14bda58f9bf7bad439ff805c2

                                                                                    SHA512

                                                                                    b701e77edb480296609129e518f4e1b9f153c9c113b648f9b0c83dc7d3d54dc8d46a369551fa9bd9141c0b30609a6837247bf5a3222d960fa5c03f576440256d

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022
                                                                                    Filesize

                                                                                    62KB

                                                                                    MD5

                                                                                    c3c0eb5e044497577bec91b5970f6d30

                                                                                    SHA1

                                                                                    d833f81cf21f68d43ba64a6c28892945adc317a6

                                                                                    SHA256

                                                                                    eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

                                                                                    SHA512

                                                                                    83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023
                                                                                    Filesize

                                                                                    67KB

                                                                                    MD5

                                                                                    a074f116c725add93a8a828fbdbbd56c

                                                                                    SHA1

                                                                                    88ca00a085140baeae0fd3072635afe3f841d88f

                                                                                    SHA256

                                                                                    4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

                                                                                    SHA512

                                                                                    43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024
                                                                                    Filesize

                                                                                    41KB

                                                                                    MD5

                                                                                    c79d8ef4fd2431bf9ce5fdee0b7a44bf

                                                                                    SHA1

                                                                                    ac642399b6b3bf30fe09c17e55ecbbb5774029ff

                                                                                    SHA256

                                                                                    535e28032abf1bac763bffd0ba968561265026803eb688d3cb0550ad9af1a0e8

                                                                                    SHA512

                                                                                    6b35d8b0d3e7f1821bfaeae337364ed8186085fa50ee2b368d205489a004cb46879efb2c400caf24ba6856625fe7ee1a71c72d2598c18044813ecde431054fb5

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025
                                                                                    Filesize

                                                                                    19KB

                                                                                    MD5

                                                                                    2e86a72f4e82614cd4842950d2e0a716

                                                                                    SHA1

                                                                                    d7b4ee0c9af735d098bff474632fc2c0113e0b9c

                                                                                    SHA256

                                                                                    c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

                                                                                    SHA512

                                                                                    7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026
                                                                                    Filesize

                                                                                    63KB

                                                                                    MD5

                                                                                    710d7637cc7e21b62fd3efe6aba1fd27

                                                                                    SHA1

                                                                                    8645d6b137064c7b38e10c736724e17787db6cf3

                                                                                    SHA256

                                                                                    c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

                                                                                    SHA512

                                                                                    19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027
                                                                                    Filesize

                                                                                    88KB

                                                                                    MD5

                                                                                    b38fbbd0b5c8e8b4452b33d6f85df7dc

                                                                                    SHA1

                                                                                    386ba241790252df01a6a028b3238de2f995a559

                                                                                    SHA256

                                                                                    b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

                                                                                    SHA512

                                                                                    546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029
                                                                                    Filesize

                                                                                    1.2MB

                                                                                    MD5

                                                                                    9f8f80ca4d9435d66dd761fbb0753642

                                                                                    SHA1

                                                                                    5f187d02303fd9044b9e7c74e0c02fe8e6a646b7

                                                                                    SHA256

                                                                                    ab481b8b19b3336deda1b9ad4680cce4958152c9f9daa60c7bd8eb6786887359

                                                                                    SHA512

                                                                                    9c0de8e5bf16f096bf781189d813eeb52c3c8ec73fc791de10a8781e9942de06ed30ff5021ab7385c98686330049e3e610adc3e484e12ef807eec58607cfae63

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                    Filesize

                                                                                    1KB

                                                                                    MD5

                                                                                    4a825af6036c879b0ead47e6e520a07f

                                                                                    SHA1

                                                                                    8dceffd0b7c4e71b99015458df686c445b79807b

                                                                                    SHA256

                                                                                    00b70ebe81467c66e4581a7e7d4ee3a16d11876c8666bb60bb9889470eb78f5d

                                                                                    SHA512

                                                                                    0164fba9112284cb96aea06291fff91961f43e2d259eb98f536224e62902c607dc2c39439ddf78713b01072019dfa78d420d33cee77be0db1df31f74d96e8788

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                    Filesize

                                                                                    3KB

                                                                                    MD5

                                                                                    3a3fce505d2b1825dfca971df3ecb773

                                                                                    SHA1

                                                                                    345e89b5d5f57c0e5a5e5b2cf2e4f20bcdc0438c

                                                                                    SHA256

                                                                                    c4fc743d53d059dc4d94b153bf69c28791aa8d7eb73fae173b415ab0ae485dd2

                                                                                    SHA512

                                                                                    35e47e8f66190643934b30f0162ea710502a0094b67c2e757e9d5782b330fc73879dbe3b87fadeb2a85f53d29ccb36672413828d3b39fea52440917cbcae955f

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                    Filesize

                                                                                    4KB

                                                                                    MD5

                                                                                    8856b8c7b86b3798b4ec91d8f95e037d

                                                                                    SHA1

                                                                                    de2aa72773bd9eab4538c0710e67befb57017873

                                                                                    SHA256

                                                                                    6f029fae0410855b50f3d52985f699e0ac381c2e159433e49bc7a894d202cbbe

                                                                                    SHA512

                                                                                    718ced4ef1b6fe8a5b882ed1c7637f94262877f1dcbb2c3be744eefc26641a8850c50c5996bad648ea140a76d352593df0428b9253c4a64426bd7f79fe1afabf

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                    Filesize

                                                                                    3KB

                                                                                    MD5

                                                                                    6778c622db3c2ff2ea17ae19c995a384

                                                                                    SHA1

                                                                                    eca56458f349fb078e18975d7d6f78e97efc9fe8

                                                                                    SHA256

                                                                                    0d8c47402ed3010a1c85ad3d93d6b18f6ac7b11354a3cd6bacd0c3064317fab8

                                                                                    SHA512

                                                                                    3d57741df21841dd25f5269183b6b1679e8c30f230c327065c314f8ac72ee19070f2f80ab113a31bb2d5ef8643790a415bdaebdb23ccc3e9c9391577fee86bb4

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                    Filesize

                                                                                    4KB

                                                                                    MD5

                                                                                    12e1d4857e241fe0dde1dc8c60053067

                                                                                    SHA1

                                                                                    4a1c43922eb6884f43b0b86746c3b1999c883954

                                                                                    SHA256

                                                                                    275dd22637debfc3dfff65a08e8b769a452de453ce4702073d80854f9069e0cd

                                                                                    SHA512

                                                                                    11ffe91e7d3d6db4f2707c8a608d30d03f17af946de2508686180bf803ac17ec27bbe9e9ab6a296cafd86d00337801e40f745b86a184a85c02edba245da625d1

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                    Filesize

                                                                                    6KB

                                                                                    MD5

                                                                                    b84fec6ba322d5b86dd584ca1b920c4d

                                                                                    SHA1

                                                                                    d20ceb2018083c27e63c64154daf76ae465756e1

                                                                                    SHA256

                                                                                    57593091be7402a38b6eefcff4ef533798817d415923ea4c06e0389d4d158995

                                                                                    SHA512

                                                                                    56bf103bb8666f341d8144bc2613980ca0c828310d1c33d6156d35c53ebc8c9b232f1d5444390c5bc99d31eb3974308b841e7bc30508eead1662bf2c92190087

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                    Filesize

                                                                                    8KB

                                                                                    MD5

                                                                                    98cf5a367e693eb8151e223d4a729292

                                                                                    SHA1

                                                                                    daa93c7fcbc53993fa717caf29be7f02c984bb53

                                                                                    SHA256

                                                                                    94b2f657a77a46696686fc7c5a1f0afc4e2f18d577d92dfd33fe8f9fd3a7c214

                                                                                    SHA512

                                                                                    47a1127030c89cb239b03e2ecf061964b015b01af170d332ce502b8a67620ee59e5946f5f92096d0e451767ebe1bf3b166dae69f0fc2ea565297d8f38db74dad

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                    Filesize

                                                                                    8KB

                                                                                    MD5

                                                                                    26e29c39cf21c2650f0a3df1ab125234

                                                                                    SHA1

                                                                                    e5e0efec5ca264ea8f2d9b4bb346a9518e49f176

                                                                                    SHA256

                                                                                    39bf09a5a12e0bf7682d4e091f6ef427f589e1fa2d675ca55fdb78abf5874e77

                                                                                    SHA512

                                                                                    8e5c0360ebf02221873853e22be06ebea989ed238b5e8f49eab9eec610b099b18d7105b3526946b47a755611ca8863211bdecdb014e0e6edff53068019751542

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                    Filesize

                                                                                    9KB

                                                                                    MD5

                                                                                    a9ddefa8566cc60dfa5700b9f9bb7bdd

                                                                                    SHA1

                                                                                    a24446910a387647e6f7160367b715abb25871b1

                                                                                    SHA256

                                                                                    650d3695cdd97de4cce8de32171ef6e119a5291a5a6635fe293ee8e13e623dd7

                                                                                    SHA512

                                                                                    ec69e04a64702e83e645fadbdf6488a41faeb5fae327cc86166e30ca31c4c52d3f5b9cbe1581a4179deaaba9df136c0c6589f38f9d8d4342c13e7fb8432120c2

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                    Filesize

                                                                                    9KB

                                                                                    MD5

                                                                                    e0fcf3d66e7aa8214b16f3861d01b0b3

                                                                                    SHA1

                                                                                    1fa3c9ba70faa3e5d13ec42f387ae96a01c8045a

                                                                                    SHA256

                                                                                    67ee27b05f8bb24c6b8e63d0ebf3bdbcd1acaface155fe73c56837e6149dffa6

                                                                                    SHA512

                                                                                    83d73ec1fcf37feac9443232b0f9a55bae2ef8c97a64e8692a51c50a16d38ca64da24264edbe0ecbe0b94195a1445735f06a811079a52b9d49261d39dcd92500

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                    Filesize

                                                                                    8KB

                                                                                    MD5

                                                                                    f67073372e72b69bf3fea7f895d52228

                                                                                    SHA1

                                                                                    7945e27c95c3ef4312f796679098b0f0caa8ac44

                                                                                    SHA256

                                                                                    fea233beb28cf2074f59324e6437b22ddb8ed81f7ce4112d2148a8db40ad27be

                                                                                    SHA512

                                                                                    6e84f9ef4bcb71cf663c8567ecffa8a34cdeb3e31602eedacc7ea7979a22f5533fae63094ee27cedd713d67edfa389cc10ec98a30dc46a1feb081b0879aba106

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                    Filesize

                                                                                    9KB

                                                                                    MD5

                                                                                    fe59d67d1b3fdc1dd615447969c0aa7c

                                                                                    SHA1

                                                                                    02be109ac6338263c9f8c60e94c802011fb1a61c

                                                                                    SHA256

                                                                                    d0119c03ab0bd6cd1bd568b178e0dc5dabc18942d2e2782d191537a4809ba48c

                                                                                    SHA512

                                                                                    86e932bf232133233cfd001b4edbaafa57a4c46b56bef98039c7b4f7c73942b56d423328ed8e6c197d044918ffabdff25eb7e163ec546aea6f64a8233fe87d47

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                    Filesize

                                                                                    9KB

                                                                                    MD5

                                                                                    ef1ba30d642c726b86d0edec796cafba

                                                                                    SHA1

                                                                                    6de06123bd49b5fdc6d7fc59ae8c06405db6e8a0

                                                                                    SHA256

                                                                                    1e7c571d999348ffdef02e754aa9978037e89cba2ee867a5497d23b78f662311

                                                                                    SHA512

                                                                                    40e51376a215d8c5c326251d1c09835ee00a51ad38441e3bee5e7c2ebadb81bafaaffe250ea3e5a1b200caa5f101cfb8f8c20f391b8cb701e877ba929b28dedd

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                    Filesize

                                                                                    1KB

                                                                                    MD5

                                                                                    617afd53c841b09e0fbc497cd328d99b

                                                                                    SHA1

                                                                                    17682109008ea4e517e330070ba58569be5885e3

                                                                                    SHA256

                                                                                    9ec4c5f83134f6817937e3bb00bbe71821f60fe0e644b4811e27fe83123b8298

                                                                                    SHA512

                                                                                    7ee002c591b718fc72be1b86f7dea4dc4f0f26a63834d5e16f176da98c33673e5a24590e10de0f6876e49cb69932ed3e28629a28b90a112938be7d34f7ffd4e7

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                    Filesize

                                                                                    1KB

                                                                                    MD5

                                                                                    7a2f4d7540cd02e223c6eedf38314e7a

                                                                                    SHA1

                                                                                    b1025ae3102299240bd16fcada76489f793970b0

                                                                                    SHA256

                                                                                    166ad094eee626da7792b7362086ae6164f87ae3a3287a6f685711379486b9f3

                                                                                    SHA512

                                                                                    07a75d2efe401cd828e1f843edded8f92018b62ce0833c95d3301936832091f7e3f6528ce0121a4e2b1764249a058c27e995f8266558a0f9dee6833b5912f135

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                    Filesize

                                                                                    2KB

                                                                                    MD5

                                                                                    d72c4a3bef1cc309571297f85eea67c2

                                                                                    SHA1

                                                                                    f5bef5644395139e8ce62d8863ce9b73440e6268

                                                                                    SHA256

                                                                                    daef75ff1e41b1fee90f47c52fcc0b4d21450881d2991ce34548503b4f74a0dc

                                                                                    SHA512

                                                                                    b37433e11094e0d61904a5423eb3d13f77e61e9841160a46d15965d945a89ee2bc5e95e08c2fdb6673219edb6e21ed97961c37d748b5a13b63f1af37ccb40f73

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b90a.TMP
                                                                                    Filesize

                                                                                    371B

                                                                                    MD5

                                                                                    c519e24e4affb1fc1c2c03e1705797a4

                                                                                    SHA1

                                                                                    8f209c3c8d6addb58d8b313eb13b32976cda73c9

                                                                                    SHA256

                                                                                    737ff2bf1e15e2e773c24699125415d13507621560d60917496d6501af60195a

                                                                                    SHA512

                                                                                    210ed2b0b0cbeb3500186f13ca69983e505cac56dc8d641f6bd22540a2f72f961c638f3934daee8f4409d78c1606f440391821242253e41e988c38157659d627

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                    Filesize

                                                                                    16B

                                                                                    MD5

                                                                                    206702161f94c5cd39fadd03f4014d98

                                                                                    SHA1

                                                                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                    SHA256

                                                                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                    SHA512

                                                                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                    Filesize

                                                                                    16B

                                                                                    MD5

                                                                                    46295cac801e5d4857d09837238a6394

                                                                                    SHA1

                                                                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                    SHA256

                                                                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                    SHA512

                                                                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                    Filesize

                                                                                    11KB

                                                                                    MD5

                                                                                    b36e4b32f2e090125345f930189dec3a

                                                                                    SHA1

                                                                                    8e93f865d265bb19894c226adcdbfe2dab09f421

                                                                                    SHA256

                                                                                    8d55871113d3fd70d43815e26429ed5b7ee5a4d5c4145ebd8a8d5f740164da77

                                                                                    SHA512

                                                                                    fe7fd165268ea81dda2ccef592923879e5967f71ad5810820d600a12c02059b6bf8ab93b3106ba27286b1e5b86be9c1c7ad200aff0d3fc053595ed29d0f85c76

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                    Filesize

                                                                                    11KB

                                                                                    MD5

                                                                                    761dbf44c7689c9488ba51e826b395ff

                                                                                    SHA1

                                                                                    ef82c7be078989d52afb6fec2fd306787b4c1ec1

                                                                                    SHA256

                                                                                    c862143808e3d4e891b63900d48b15486b1fbd1e8e327119e623d35b09ce57d6

                                                                                    SHA512

                                                                                    68a0ca676c52a63499e7df8d8d935b82b371cb4f5bba717db86d69706cd4432619f3e21e2def2a86810e00ba3fb21f2666ef02b3232994fecc108def5ba2e03e

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                    Filesize

                                                                                    12KB

                                                                                    MD5

                                                                                    b6dae27c7586f3ebb074d9552ae6422b

                                                                                    SHA1

                                                                                    72f006810f86e648b3bffad3f73a01583a7efd86

                                                                                    SHA256

                                                                                    0174d4b1e49282026f8970a234130ea4538d4000bdbb280229f67427614096a0

                                                                                    SHA512

                                                                                    bb4c442290defe2f96dbb65bd832fc43d03cc24120499ce67ed7b9446bb00c9fb9e0656ca9b53fb47fec259bcd14dd74a4c88ec171f5667add5c351f49360c3b

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    62623d22bd9e037191765d5083ce16a3

                                                                                    SHA1

                                                                                    4a07da6872672f715a4780513d95ed8ddeefd259

                                                                                    SHA256

                                                                                    95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                                                    SHA512

                                                                                    9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    cadef9abd087803c630df65264a6c81c

                                                                                    SHA1

                                                                                    babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                                                    SHA256

                                                                                    cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                                                    SHA512

                                                                                    7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    e448fe0d240184c6597a31d3be2ced58

                                                                                    SHA1

                                                                                    372b8d8c19246d3e38cd3ba123cc0f56070f03cd

                                                                                    SHA256

                                                                                    c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

                                                                                    SHA512

                                                                                    0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    59d97011e091004eaffb9816aa0b9abd

                                                                                    SHA1

                                                                                    1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                                                                                    SHA256

                                                                                    18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                                                                                    SHA512

                                                                                    d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    3a6bad9528f8e23fb5c77fbd81fa28e8

                                                                                    SHA1

                                                                                    f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                                                    SHA256

                                                                                    986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                                                    SHA512

                                                                                    846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    5f0ddc7f3691c81ee14d17b419ba220d

                                                                                    SHA1

                                                                                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                                                                                    SHA256

                                                                                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                                                                                    SHA512

                                                                                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    e8ce785f8ccc6d202d56fefc59764945

                                                                                    SHA1

                                                                                    ca032c62ddc5e0f26d84eff9895eb87f14e15960

                                                                                    SHA256

                                                                                    d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

                                                                                    SHA512

                                                                                    66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe
                                                                                    Filesize

                                                                                    796KB

                                                                                    MD5

                                                                                    76639ab92661f5c384302899934051ab

                                                                                    SHA1

                                                                                    9b33828f8ad3a686ff02b1a4569b8ae38128caed

                                                                                    SHA256

                                                                                    6bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178

                                                                                    SHA512

                                                                                    928e4374c087070f8a6786f9082f05a866751ea877edf9afa23f6941dfc4d6762e1688bbb135788d6286ec324fa117fc60b46fed2f6e3a4ab059465a00f2ebee

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_faahmqjs.mrj.ps1
                                                                                    Filesize

                                                                                    60B

                                                                                    MD5

                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                    SHA1

                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                    SHA256

                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                    SHA512

                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\explorer.exe
                                                                                    Filesize

                                                                                    1.3MB

                                                                                    MD5

                                                                                    679c989b6a378bab5dd436601942781f

                                                                                    SHA1

                                                                                    17f39f43225563425ca39f6aa7eaf0a3b3dc0bf1

                                                                                    SHA256

                                                                                    7224bbcf3bd6d87e1071cb7e0fb9777796401bf5dd8e8f1875ce5e21ccce8d8e

                                                                                    SHA512

                                                                                    4141ef4a1172cd91764b9c21f9f48a828bb9e9d6c9e3ff304f426858a3730f66346045e4df279dd358b863a58b0d26fa83cddfcead823c7b01c0ca9cac11cedf

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\h6J9oWuSia.bat
                                                                                    Filesize

                                                                                    207B

                                                                                    MD5

                                                                                    6ce2754b89bef610c8c887945b3ffb1d

                                                                                    SHA1

                                                                                    91d67594ef2a10f00a27ddc2a57e72b720baa5e9

                                                                                    SHA256

                                                                                    b4f543b850acae45453bdd8b1582e80e4ee358025691459a63c42fe6f9e7b0ed

                                                                                    SHA512

                                                                                    9f47d851db9d27a5982b2e98e1339b606384e419d411bb955ef9854c5c3c48a569594874b1fd6701716b93a5f8072a59a3b4eb57c875668f3b512a1abfeb6ae5

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                    Filesize

                                                                                    796KB

                                                                                    MD5

                                                                                    fa65805dc79caefec703e1339141fc65

                                                                                    SHA1

                                                                                    9f2480739aac09dcf254d87f5f63deaea8296404

                                                                                    SHA256

                                                                                    d122b76e0739d706b0c3078136fd05d55e92b09dca92864c66b428fa8c0da748

                                                                                    SHA512

                                                                                    b2fd9027cf118727dc5688912a0909403afede90a6efcb5e616dcca575753b82a85ba48f3d08b63148f5c5795d1af35f69803dde2fef358f94dd367ec55f1b63

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Roaming\runtimedll\Dys66TczvhbessmMKj4WgmTuE0u8f.bat
                                                                                    Filesize

                                                                                    47B

                                                                                    MD5

                                                                                    fe35c0364f013c7be13f2ec9e5e830ea

                                                                                    SHA1

                                                                                    123641b5e4e0acad712cf1ecf96901b096de6eec

                                                                                    SHA256

                                                                                    72aba57196684dc7756227e66e0fd8378ce1d3c48ce9a184b7e9eee9d6b7b06c

                                                                                    SHA512

                                                                                    2bebd7748a85addb9d306f2a4efb0eddec9937d962a184f1d2c3f0b95be6b6f1cbb3c929c87b8aef8ebd68491c47300e077f2ce6655b1ab6088e9c585fce56f1

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Roaming\runtimedll\FNSj17Htppfg4k3A3UQDZrtMDVU.vbe
                                                                                    Filesize

                                                                                    223B

                                                                                    MD5

                                                                                    91263a6cae8942e91793ad357fb699f9

                                                                                    SHA1

                                                                                    88e4284e8ffd462fc9e1034bbc403f85511734b7

                                                                                    SHA256

                                                                                    f1e741139e2938057c910a6968964cc706305e31d95bfbe8c671262ce453da73

                                                                                    SHA512

                                                                                    0d549433d4a6abb3ae88fab5bf9b7380d9069e9e7104004a85a41b7c62631c3e3aad830741fe023c46cd1a8b6340d32fbc5deffaf26f222e091b92c04d852df7

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Roaming\runtimedll\HyperproviderMonitor.exe
                                                                                    Filesize

                                                                                    1.0MB

                                                                                    MD5

                                                                                    35260f3ab90b954c6b95aa7a2565ccd3

                                                                                    SHA1

                                                                                    91fa67458c55524fd9659662b348794fb6bb08b3

                                                                                    SHA256

                                                                                    8a1d1d82a7627a27fda435c8e47bb1a4549a8503244d63dd0d6e5a65c19ec42c

                                                                                    SHA512

                                                                                    15275993095c40b67b502a8153995f1285a6f23046f68aea5799680736c344c4622e67be80d9db015ef54d1dd6ee5b5e94d1f32bc497b94ba5888a26eae225f0

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\Downloads\SolaraNew.rar
                                                                                    Filesize

                                                                                    1.4MB

                                                                                    MD5

                                                                                    92937b7f1a0e42669737600de0caa021

                                                                                    SHA1

                                                                                    b956aa3a140714e3e8e6266e1b72fdc5ef6f98eb

                                                                                    SHA256

                                                                                    8ba5953f41e5fdbfec34de4d6bed4fc1a346bac62aa7058d3a386b6bb46cb99a

                                                                                    SHA512

                                                                                    73aa57b874fae2cc834e1c0af4956069908465b37ff89b43604ff7dec5b3c44dbb1392a9466abe7d546da5ab7d904b7061962ab0aca6d5b5a6038cc1999e010c

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\Downloads\SolaraNew\Solara\SolaraBostrapers.exe
                                                                                    Filesize

                                                                                    2.2MB

                                                                                    MD5

                                                                                    f3ea935cf85c736c025898ecf37610d8

                                                                                    SHA1

                                                                                    55d262623356dc9d41c8ebee1ab69e0ed1a5d517

                                                                                    SHA256

                                                                                    1689c06648ca56b74ec995fb0e013458e4d932d3f42dcea0ef6c64a7b45a8b63

                                                                                    SHA512

                                                                                    5c787b6d16de0e86696fdf50fb13302ad0ce9089e23557d926d400b8275733a85b67f572f802a016b8bb8add9224fbc09566983d76bd086ba29720d871933f94

                                                                                    Download Submit

                                                                                  • C:\Windows\Installer\MSI269.tmp
                                                                                    Filesize

                                                                                    211KB

                                                                                    MD5

                                                                                    a3ae5d86ecf38db9427359ea37a5f646

                                                                                    SHA1

                                                                                    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

                                                                                    SHA256

                                                                                    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

                                                                                    SHA512

                                                                                    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

                                                                                    Download Submit

                                                                                  • C:\Windows\Installer\MSI298D.tmp
                                                                                    Filesize

                                                                                    122KB

                                                                                    MD5

                                                                                    9fe9b0ecaea0324ad99036a91db03ebb

                                                                                    SHA1

                                                                                    144068c64ec06fc08eadfcca0a014a44b95bb908

                                                                                    SHA256

                                                                                    e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

                                                                                    SHA512

                                                                                    906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

                                                                                    Download Submit

                                                                                  • C:\Windows\Installer\e59f41e.msi
                                                                                    Filesize

                                                                                    30.1MB

                                                                                    MD5

                                                                                    0e4e9aa41d24221b29b19ba96c1a64d0

                                                                                    SHA1

                                                                                    231ade3d5a586c0eb4441c8dbfe9007dc26b2872

                                                                                    SHA256

                                                                                    5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

                                                                                    SHA512

                                                                                    e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

                                                                                    Download Submit

                                                                                  • memory/1484-311-0x0000000000F10000-0x000000000113E000-memory.dmp

                                                                                    Filesize

                                                                                    2.2MB

                                                                                    Download

                                                                                  • memory/1484-312-0x0000000005AC0000-0x0000000005B5C000-memory.dmp

                                                                                    Filesize

                                                                                    624KB

                                                                                    Download

                                                                                  • memory/2780-407-0x000001B956A70000-0x000001B956A92000-memory.dmp

                                                                                    Filesize

                                                                                    136KB

                                                                                    Download

                                                                                  • memory/4008-3988-0x00000183994A0000-0x00000183994C4000-memory.dmp

                                                                                    Filesize

                                                                                    144KB

                                                                                    Download

                                                                                  • memory/4008-3991-0x00000183B3E00000-0x00000183B3EB2000-memory.dmp

                                                                                    Filesize

                                                                                    712KB

                                                                                    Download

                                                                                  • memory/4008-3998-0x00000183B4850000-0x00000183B48E0000-memory.dmp

                                                                                    Filesize

                                                                                    576KB

                                                                                    Download

                                                                                  • memory/4008-4012-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/4008-4011-0x00000183B3D30000-0x00000183B3D3E000-memory.dmp

                                                                                    Filesize

                                                                                    56KB

                                                                                    Download

                                                                                  • memory/4008-4013-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/4008-3990-0x00000183B3D40000-0x00000183B3DFA000-memory.dmp

                                                                                    Filesize

                                                                                    744KB

                                                                                    Download

                                                                                  • memory/4008-4010-0x00000183B4B80000-0x00000183B4BB8000-memory.dmp

                                                                                    Filesize

                                                                                    224KB

                                                                                    Download

                                                                                  • memory/4008-3989-0x00000183B3FD0000-0x00000183B450C000-memory.dmp

                                                                                    Filesize

                                                                                    5.2MB

                                                                                    Download

                                                                                  • memory/4008-3997-0x000001839B2C0000-0x000001839B2D0000-memory.dmp

                                                                                    Filesize

                                                                                    64KB

                                                                                    Download

                                                                                  • memory/4008-3993-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/4008-4008-0x00000183B3CD0000-0x00000183B3CD8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/4008-3996-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/4008-3995-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/4008-3994-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/4448-4042-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/4448-4045-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/4448-4043-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/4448-4044-0x0000000180000000-0x0000000180FA6000-memory.dmp

                                                                                    Filesize

                                                                                    15.6MB

                                                                                    Download

                                                                                  • memory/5240-333-0x0000000000AA0000-0x0000000000B6E000-memory.dmp

                                                                                    Filesize

                                                                                    824KB

                                                                                    Download

                                                                                  • memory/5564-3820-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5564-3821-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5564-3878-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5564-3877-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5564-3879-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5564-3880-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5564-3881-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5564-3882-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5564-3883-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5564-3819-0x000001D776630000-0x000001D776631000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/5656-352-0x000000001BB50000-0x000000001BB5C000-memory.dmp

                                                                                    Filesize

                                                                                    48KB

                                                                                    Download

                                                                                  • memory/5656-351-0x000000001BB80000-0x000000001BB8E000-memory.dmp

                                                                                    Filesize

                                                                                    56KB

                                                                                    Download

                                                                                  • memory/5656-346-0x0000000000710000-0x000000000081C000-memory.dmp

                                                                                    Filesize

                                                                                    1.0MB

                                                                                    Download

                                                                                  • memory/5656-348-0x000000001B320000-0x000000001B328000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/5656-350-0x000000001BB60000-0x000000001BB72000-memory.dmp

                                                                                    Filesize

                                                                                    72KB

                                                                                    Download

                                                                                  • memory/5656-349-0x000000001BA40000-0x000000001BA48000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/6140-1172-0x0000000006450000-0x00000000067A4000-memory.dmp

                                                                                    Filesize

                                                                                    3.3MB

                                                                                    Download

                                                                                  • memory/6140-1171-0x0000000006420000-0x0000000006442000-memory.dmp

                                                                                    Filesize

                                                                                    136KB

                                                                                    Download

                                                                                  • memory/6256-4031-0x0000000006590000-0x00000000068E4000-memory.dmp

                                                                                    Filesize

                                                                                    3.3MB

                                                                                    Download

                                                                                  • memory/6600-3978-0x0000000005D20000-0x0000000006074000-memory.dmp

                                                                                    Filesize

                                                                                    3.3MB

                                                                                    Download

                                                                                  • memory/6872-3546-0x0000029AC7DB0000-0x0000029AC7DC2000-memory.dmp

                                                                                    Filesize

                                                                                    72KB

                                                                                    Download

                                                                                  • memory/6872-1182-0x0000029AAD4D0000-0x0000029AAD59E000-memory.dmp

                                                                                    Filesize

                                                                                    824KB

                                                                                    Download

                                                                                  • memory/6872-3544-0x0000029AC7A70000-0x0000029AC7A7A000-memory.dmp

                                                                                    Filesize

                                                                                    40KB

                                                                                    Download

                                                                                  • memory/6892-595-0x000000001CCC0000-0x000000001CE82000-memory.dmp

                                                                                    Filesize

                                                                                    1.8MB

                                                                                    Download

                                                                                  • memory/6892-585-0x0000000002B10000-0x0000000002B22000-memory.dmp

                                                                                    Filesize

                                                                                    72KB

                                                                                    Download

                                                                                  • memory/6892-596-0x000000001D5C0000-0x000000001DAE8000-memory.dmp

                                                                                    Filesize

                                                                                    5.2MB

                                                                                    Download