2c1952990fa3431219bab7428c907dc2c67f214944a22da6a320411ad21b2e59

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper/SolaraDownloader.exe
Size

139KB
MD5

55d6478689c01c567a35e717c5a12e24
SHA1

c1c0f82203d01d2db74c2a61b1263aac2042cf36
SHA256

1b1600ef1aa80e31c8f5def6efbd296d4aa7a3cdd1d57e10ed2e71d197ebac72
SHA512

c5fb4e5f584a7cf791d2bf2e7c183ecd27128eeee1b4974d50c4cce01683b6887c00a35e4c3f66f69d4aa2a463d526619ef6a832c1de4ae73dd12d876a8c17b9
SSDEEP

3072:wu/4Fqqdnmh9RDNmCXLRiAIrmDSg78INuC31RbPdLnY7eC5l1L3:wu/4FqqImCXLRiAIrmP78INx70LN

Score

10^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 3116 created 3360	3116	env.exe	56
PID 3116 created 3360	3116	env.exe	56
PID 3116 created 3360	3116	env.exe	56
PID 3116 created 3360	3116	env.exe	56
PID 3116 created 3360	3116	env.exe	56
PID 3116 created 3360	3116	env.exe	56
PID 3692 created 3360	3692	updater.exe	56
PID 3692 created 3360	3692	updater.exe	56
PID 3692 created 3360	3692	updater.exe	56
PID 3692 created 3360	3692	updater.exe	56
PID 3692 created 3360	3692	updater.exe	56
PID 3692 created 3360	3692	updater.exe	56
PID 3692 created 3360	3692	updater.exe	56

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3196	powershell.exe
1884	powershell.exe
2332	powershell.exe
4928	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	SolaraDownloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	BootstrapperV1.17.exe

Executes dropped EXE 4 IoCs

pid	Process
4112	Bootstrapper.exe
3116	env.exe
1868	BootstrapperV1.17.exe
3692	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Loads dropped DLL 11 IoCs

pid	Process
1908	MsiExec.exe
1908	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
3568	MsiExec.exe
320	MsiExec.exe
320	MsiExec.exe
320	MsiExec.exe
1908	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
71	1844	msiexec.exe
73	1844	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
49	pastebin.com
8	raw.githubusercontent.com
10	raw.githubusercontent.com
41	pastebin.com
42	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
632	cmd.exe
4056	powercfg.exe
2384	powercfg.exe
4448	cmd.exe
3192	powercfg.exe
3408	powercfg.exe
4068	powercfg.exe
4324	powercfg.exe
2600	powercfg.exe
1116	powercfg.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 1824	3116	env.exe	119
PID 3692 set thread context of 2044	3692	updater.exe	145
PID 3692 set thread context of 4772	3692	updater.exe	152
PID 3692 set thread context of 5084	3692	updater.exe	153

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\default-opts.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-pkg.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\corepack	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-core-module\core.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npmlog\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\remove.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks-proxy-agent\dist\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\CONTRIBUTING.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\content\path.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\override-set.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\rimraf.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\shim-bin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-json-stream\node_modules\minipass\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\listeners-side-effects.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\Find-VisualStudio.cs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\line.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-whoami.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-sized\node_modules\minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abbrev\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff-apply\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-root.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clean-stack\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\patch\apply.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\supports-color\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\bin\virtual.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\console-control-strings\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\index.es6.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\audit-error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\util\hash-to-segments.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\store\public-good-instance-root.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\unpack.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\MSVSUserFile.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\has-unicode\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\utils\key.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-packlist\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\auth.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\search.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\abbrev\abbrev.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\vendor\QRCode\QRErrorCorrectLevel.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-view.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-root.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\lib\encoding.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\archy\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\get-paths.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\ninja_test.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-is-absolute\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\are-we-there-yet\lib\tracker.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\src\factory.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\lib\internal\streams\pipeline.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\file.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\util\cache-dir.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cmd-shim\lib\to-batch-syntax.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\function-bind\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\workspaces\update-workspaces.js	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1F0C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2017.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2597.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e581210.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58120c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI671C.tmp	msiexec.exe
File created	C:\Windows\Installer\e58120c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2047.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI643B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C7C.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI280A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2224	sc.exe
4156	sc.exe
4588	sc.exe
5048	sc.exe
2612	sc.exe
2924	sc.exe
4540	sc.exe
900	sc.exe
1772	sc.exe
3188	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 23 Aug 2024 15:42:10 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1724427729"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={22081339-832F-42C8-B9A5-FE07FBD98CBD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	BootstrapperV1.17.exe
1868	BootstrapperV1.17.exe
1844	msiexec.exe
1844	msiexec.exe
3116	env.exe
3116	env.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
3116	env.exe
3116	env.exe
3116	env.exe
3116	env.exe
3116	env.exe
3116	env.exe
3116	env.exe
3116	env.exe
1824	dialer.exe
1824	dialer.exe
1884	powershell.exe
1884	powershell.exe
1884	powershell.exe
3116	env.exe
3116	env.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe
1824	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	Bootstrapper.exe
Token: SeDebugPrivilege	1868	BootstrapperV1.17.exe
Token: SeShutdownPrivilege	4344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4344	msiexec.exe
Token: SeSecurityPrivilege	1844	msiexec.exe
Token: SeCreateTokenPrivilege	4344	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4344	msiexec.exe
Token: SeLockMemoryPrivilege	4344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4344	msiexec.exe
Token: SeMachineAccountPrivilege	4344	msiexec.exe
Token: SeTcbPrivilege	4344	msiexec.exe
Token: SeSecurityPrivilege	4344	msiexec.exe
Token: SeTakeOwnershipPrivilege	4344	msiexec.exe
Token: SeLoadDriverPrivilege	4344	msiexec.exe
Token: SeSystemProfilePrivilege	4344	msiexec.exe
Token: SeSystemtimePrivilege	4344	msiexec.exe
Token: SeProfSingleProcessPrivilege	4344	msiexec.exe
Token: SeIncBasePriorityPrivilege	4344	msiexec.exe
Token: SeCreatePagefilePrivilege	4344	msiexec.exe
Token: SeCreatePermanentPrivilege	4344	msiexec.exe
Token: SeBackupPrivilege	4344	msiexec.exe
Token: SeRestorePrivilege	4344	msiexec.exe
Token: SeShutdownPrivilege	4344	msiexec.exe
Token: SeDebugPrivilege	4344	msiexec.exe
Token: SeAuditPrivilege	4344	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4344	msiexec.exe
Token: SeChangeNotifyPrivilege	4344	msiexec.exe
Token: SeRemoteShutdownPrivilege	4344	msiexec.exe
Token: SeUndockPrivilege	4344	msiexec.exe
Token: SeSyncAgentPrivilege	4344	msiexec.exe
Token: SeEnableDelegationPrivilege	4344	msiexec.exe
Token: SeManageVolumePrivilege	4344	msiexec.exe
Token: SeImpersonatePrivilege	4344	msiexec.exe
Token: SeCreateGlobalPrivilege	4344	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1824	dialer.exe
Token: SeShutdownPrivilege	4056	powercfg.exe
Token: SeCreatePagefilePrivilege	4056	powercfg.exe
Token: SeShutdownPrivilege	3408	powercfg.exe
Token: SeCreatePagefilePrivilege	3408	powercfg.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeShutdownPrivilege	4068	powercfg.exe
Token: SeCreatePagefilePrivilege	4068	powercfg.exe
Token: SeShutdownPrivilege	2384	powercfg.exe
Token: SeCreatePagefilePrivilege	2384	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1884	powershell.exe
Token: SeSecurityPrivilege	1884	powershell.exe
Token: SeTakeOwnershipPrivilege	1884	powershell.exe
Token: SeLoadDriverPrivilege	1884	powershell.exe
Token: SeSystemProfilePrivilege	1884	powershell.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE
3360	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3360	Explorer.EXE
3928	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4112	3972	SolaraDownloader.exe	95
PID 3972 wrote to memory of 4112	3972	SolaraDownloader.exe	95
PID 3972 wrote to memory of 3116	3972	SolaraDownloader.exe	97
PID 3972 wrote to memory of 3116	3972	SolaraDownloader.exe	97
PID 4112 wrote to memory of 1868	4112	Bootstrapper.exe	98
PID 4112 wrote to memory of 1868	4112	Bootstrapper.exe	98
PID 1868 wrote to memory of 4344	1868	BootstrapperV1.17.exe	102
PID 1868 wrote to memory of 4344	1868	BootstrapperV1.17.exe	102
PID 1844 wrote to memory of 1908	1844	msiexec.exe	106
PID 1844 wrote to memory of 1908	1844	msiexec.exe	106
PID 1844 wrote to memory of 3568	1844	msiexec.exe	107
PID 1844 wrote to memory of 3568	1844	msiexec.exe	107
PID 1844 wrote to memory of 3568	1844	msiexec.exe	107
PID 3152 wrote to memory of 3188	3152	cmd.exe	112
PID 3152 wrote to memory of 3188	3152	cmd.exe	112
PID 3152 wrote to memory of 2924	3152	cmd.exe	113
PID 3152 wrote to memory of 2924	3152	cmd.exe	113
PID 3152 wrote to memory of 2612	3152	cmd.exe	114
PID 3152 wrote to memory of 2612	3152	cmd.exe	114
PID 3152 wrote to memory of 2224	3152	cmd.exe	115
PID 3152 wrote to memory of 2224	3152	cmd.exe	115
PID 3152 wrote to memory of 4540	3152	cmd.exe	116
PID 3152 wrote to memory of 4540	3152	cmd.exe	116
PID 3116 wrote to memory of 1824	3116	env.exe	119
PID 632 wrote to memory of 4056	632	cmd.exe	122
PID 632 wrote to memory of 4056	632	cmd.exe	122
PID 632 wrote to memory of 3408	632	cmd.exe	123
PID 632 wrote to memory of 3408	632	cmd.exe	123
PID 632 wrote to memory of 4068	632	cmd.exe	124
PID 632 wrote to memory of 4068	632	cmd.exe	124
PID 632 wrote to memory of 2384	632	cmd.exe	125
PID 632 wrote to memory of 2384	632	cmd.exe	125
PID 1824 wrote to memory of 612	1824	dialer.exe	5
PID 1824 wrote to memory of 668	1824	dialer.exe	7
PID 1824 wrote to memory of 944	1824	dialer.exe	12
PID 1824 wrote to memory of 316	1824	dialer.exe	13
PID 1824 wrote to memory of 512	1824	dialer.exe	14
PID 1824 wrote to memory of 724	1824	dialer.exe	15
PID 1824 wrote to memory of 1076	1824	dialer.exe	17
PID 1824 wrote to memory of 1084	1824	dialer.exe	18
PID 1824 wrote to memory of 1152	1824	dialer.exe	19
PID 1824 wrote to memory of 1196	1824	dialer.exe	20
PID 1824 wrote to memory of 1244	1824	dialer.exe	21
PID 1152 wrote to memory of 3692	1152	svchost.exe	128
PID 1152 wrote to memory of 3692	1152	svchost.exe	128
PID 1824 wrote to memory of 3692	1824	dialer.exe	128
PID 668 wrote to memory of 2768	668	lsass.exe	49
PID 1824 wrote to memory of 1324	1824	dialer.exe	22
PID 1824 wrote to memory of 1332	1824	dialer.exe	23
PID 1824 wrote to memory of 1392	1824	dialer.exe	24
PID 1824 wrote to memory of 1472	1824	dialer.exe	25
PID 1824 wrote to memory of 1540	1824	dialer.exe	26
PID 1824 wrote to memory of 1564	1824	dialer.exe	27
PID 1824 wrote to memory of 1632	1824	dialer.exe	28
PID 1824 wrote to memory of 1724	1824	dialer.exe	29
PID 1824 wrote to memory of 1752	1824	dialer.exe	30
PID 1824 wrote to memory of 1748	1824	dialer.exe	31
PID 1824 wrote to memory of 1888	1824	dialer.exe	32
PID 1824 wrote to memory of 2000	1824	dialer.exe	33
PID 1824 wrote to memory of 2008	1824	dialer.exe	34
PID 1824 wrote to memory of 1452	1824	dialer.exe	35
PID 1824 wrote to memory of 1400	1824	dialer.exe	36
PID 1824 wrote to memory of 1488	1824	dialer.exe	37
PID 1824 wrote to memory of 2080	1824	dialer.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1392
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1488

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2748

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2876

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3360
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper\SolaraDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper\SolaraDownloader.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara\Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara\BootstrapperV1.17.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara\BootstrapperV1.17.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara\Bootstrapper.exe" --isUpdate true
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3148
    - - C:\Windows\System32\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara\workspace\env.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara\workspace\env.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3188
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2924
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2612
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2224
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4540
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4068
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jewed#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2340
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4220
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3340
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:900
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4156
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4588
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5048
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1772
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4448
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2780
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4324
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2600
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1116
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3192
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jewed#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3196
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5004
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4772
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:5084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3936

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1980

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:456

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1776

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E1A092371D813F372E86018D3F7C2424
  2⤵
  - Loads dropped DLL
  PID:1908
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A995229D581088F8FEB926DA23E169E1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3568
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 202C4B6FE0DA41DA3BC07D3E66273D82 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:320
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4480
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:896
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:4092

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3208

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58120f.rbs

Filesize
1.0MB

MD5
d4e5857250f8440a0889395e835e3fea

SHA1
6ff29bfcbc2564ff7f50cd21481dd33e06a2c202

SHA256
d217e52c5181403ce740f37243695d53241b58afc0f543d03729f6b94fa3b3c7

SHA512
b04c352cf69a1ca9ffa01cdf0fd31f39c36c5d67e6b2cc93cb63bf6168861d9ed8ac1f852d719f8852e6cae3b8b13c4b4b574279b2b618ab4fb6ef11fec2bf6f

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Install Additional Tools for Node.js.lnk

Filesize
982B

MD5
c621e3044e3e32b17db00ce0404ed0bd

SHA1
1a4b7223724ae64705d74e419617604aaabbc461

SHA256
52d32d217fbc19cbd9ff8031860c8037b3374b70c159983cc8b5e55cef2a0046

SHA512
a73ca41678869f7066a66be50b03386570d6f82f9218b0353ab260d469be133ed326c442d5ff1323bfd020c10b282571f053604a2e788a9bbc47ca7e75c842f4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js command prompt.lnk

Filesize
966B

MD5
b67bc8aa534edf28c61e239177055f33

SHA1
3d6918660175cf0a33bbf72200c0a9687eea73e0

SHA256
4cd2981e0ddca767170adcbeecaefe577e0fe55ee62793e2668d381eabf568a9

SHA512
48bd7352e758a2ccad2306a60d377e2b495e7ffb48b0519497f7d4402aaac3a5458f6032d6d04f8b2d9f85197f19e48499ed3774d7a13e251552b57728884028

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js.lnk

Filesize
949B

MD5
83050a91360893d0d18b544f68c5107b

SHA1
ab998b24734d3372d28a14e6ab0f3452d5cb6e49

SHA256
1aa786b0a354e082bd65a79114d40aa30a4e5bc599783b5a27315d9ff98e6b0d

SHA512
4935c9665263aef7182d720b85a00c4956a48ac04288b475d8f3c46617611580bbe2fc92a6b5fbaf99e169651858db497c66fe7a5f4f06468b87fe80181381fb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Uninstall Node.js.lnk

Filesize
940B

MD5
3751fada300d6f79adca32e39583a804

SHA1
0c5b3112b0ac42b2a98f8a6716e408f1438a4c93

SHA256
c3ed05b18d566adb8d76c963004534238671a46a8886269727372282cf2e0a2a

SHA512
ce04066148cbb7c08a43978000454229587e875fd5d2ccd7c60ef75365f5156eef96f407f61231a07b0c03644753c439a292a515b203bc3e775d986b21a3ebc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
1553dd24cff713b3b1848af574193a12

SHA1
39854928eafca97875efe9d50747c5fc01373596

SHA256
32aaf98159d998a2611492e107d2e3485936a32750b6e2d338f7b921a248daa0

SHA512
cd2f8244cbc9a579fb5cab74d7a378d2e4d543a8cae3d3ba7d4558ffe0db1cefd615a2ee8167d7f978bfdca4482c3153909f9e8a69902f6b7b1c4e11bec567ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_CEA48AEE703922244E2530F7A011BBC6

Filesize
404B

MD5
ada1d9de92181dbe19fe765650cca29c

SHA1
113c0f4b1824aaa61ca1782296780982e1a4bcc0

SHA256
548fd3968843a684eb7c409be5c8bc26bf958cc81f1528b1e12ec85b7adce2ee

SHA512
49708429c9ec652cffbaa9b4e2bad027941a4cd36bb293df198ca8d6bb536fae307cbf12e80460bfe40ee72698bc0b1231ed3bebd50fc80801021acd15bf03e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
306B

MD5
2e366f05f8f297ae6dc552280b36d19e

SHA1
30d4138ce0e0835f5e0ec442d9c9a28a09287135

SHA256
a4b47922e8b4dac85fec93f2fdbd4a0c25ed345ffd758749bae07c6c9b6a29c3

SHA512
2d295e10845cc402f49b5960294e9e63fd4fd5682ae9a1a115db05d7e13eb2a854da8194b657884a67ee981520988eaac03d3e4041128948ba01ba9cefeee3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara\Bootstrapper.exe

Filesize
796KB

MD5
76639ab92661f5c384302899934051ab

SHA1
9b33828f8ad3a686ff02b1a4569b8ae38128caed

SHA256
6bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178

SHA512
928e4374c087070f8a6786f9082f05a866751ea877edf9afa23f6941dfc4d6762e1688bbb135788d6286ec324fa117fc60b46fed2f6e3a4ab059465a00f2ebee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper\Solara\BootstrapperV1.17.exe

Filesize
796KB

MD5
4b94b989b0fe7bec6311153b309dfe81

SHA1
bb50a4bb8a66f0105c5b74f32cd114c672010b22

SHA256
7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659

SHA512
fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcnuyc22.3fi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Windows\Installer\MSI1F0C.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSI2047.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI27DA.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/316-116-0x0000024865F60000-0x0000024865F87000-memory.dmp

Filesize
156KB

Download
memory/316-117-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/512-119-0x000002634A9D0000-0x000002634A9F7000-memory.dmp

Filesize
156KB

Download
memory/512-120-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/612-105-0x000001CB4F310000-0x000001CB4F331000-memory.dmp

Filesize
132KB

Download
memory/612-107-0x000001CB4F340000-0x000001CB4F367000-memory.dmp

Filesize
156KB

Download
memory/612-109-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/668-108-0x0000019066540000-0x0000019066567000-memory.dmp

Filesize
156KB

Download
memory/668-111-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/724-131-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/724-130-0x0000023A1A3D0000-0x0000023A1A3F7000-memory.dmp

Filesize
156KB

Download
memory/944-123-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/944-122-0x0000029E59B00000-0x0000029E59B27000-memory.dmp

Filesize
156KB

Download
memory/1076-134-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/1076-133-0x0000024C5B700000-0x0000024C5B727000-memory.dmp

Filesize
156KB

Download
memory/1084-137-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/1084-136-0x00000239BEFA0000-0x00000239BEFC7000-memory.dmp

Filesize
156KB

Download
memory/1152-140-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/1152-139-0x0000024417BF0000-0x0000024417C17000-memory.dmp

Filesize
156KB

Download
memory/1196-142-0x0000021858850000-0x0000021858877000-memory.dmp

Filesize
156KB

Download
memory/1196-143-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/1244-150-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/1244-149-0x000001D85AFB0000-0x000001D85AFD7000-memory.dmp

Filesize
156KB

Download
memory/1324-153-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/1324-152-0x00000296B31C0000-0x00000296B31E7000-memory.dmp

Filesize
156KB

Download
memory/1332-162-0x000002A98C160000-0x000002A98C187000-memory.dmp

Filesize
156KB

Download
memory/1332-163-0x00007FFDA74D0000-0x00007FFDA74E0000-memory.dmp

Filesize
64KB

Download
memory/1824-87-0x00007FFDE7450000-0x00007FFDE7645000-memory.dmp

Filesize
2.0MB

Download
memory/1824-88-0x00007FFDE7060000-0x00007FFDE711E000-memory.dmp

Filesize
760KB

Download
memory/1868-3025-0x0000021ED85C0000-0x0000021ED85D2000-memory.dmp

Filesize
72KB

Download
memory/1868-2775-0x0000021EBFAD0000-0x0000021EBFADA000-memory.dmp

Filesize
40KB

Download
memory/1868-40-0x0000021EBDC50000-0x0000021EBDD1E000-memory.dmp

Filesize
824KB

Download
memory/1884-101-0x000002CA238D0000-0x000002CA23A1E000-memory.dmp

Filesize
1.3MB

Download
memory/2332-85-0x0000015B73480000-0x0000015B735CE000-memory.dmp

Filesize
1.3MB

Download
memory/3116-44-0x00007FF614010000-0x00007FF6178C5000-memory.dmp

Filesize
56.7MB

Download
memory/3116-104-0x00007FF614010000-0x00007FF6178C5000-memory.dmp

Filesize
56.7MB

Download
memory/3196-3468-0x0000024CE9BB0000-0x0000024CE9C65000-memory.dmp

Filesize
724KB

Download
memory/4112-38-0x00007FFDC64E0000-0x00007FFDC6FA1000-memory.dmp

Filesize
10.8MB

Download
memory/4112-26-0x000002CF6FFC0000-0x000002CF6FFE2000-memory.dmp

Filesize
136KB

Download
memory/4112-20-0x000002CF55B00000-0x000002CF55BCE000-memory.dmp

Filesize
824KB

Download
memory/4112-19-0x00007FFDC64E3000-0x00007FFDC64E5000-memory.dmp

Filesize
8KB

Download
memory/4112-23-0x00007FFDC64E0000-0x00007FFDC6FA1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-2786-0x0000024D73BC0000-0x0000024D73C75000-memory.dmp

Filesize
724KB

Download
memory/4928-2815-0x0000024D73E20000-0x0000024D73E2A000-memory.dmp

Filesize
40KB

Download
memory/4928-2811-0x0000024D73DD0000-0x0000024D73DDA000-memory.dmp

Filesize
40KB

Download
memory/4928-2794-0x0000024D73DF0000-0x0000024D73E0C000-memory.dmp

Filesize
112KB

Download
memory/4928-2814-0x0000024D73E10000-0x0000024D73E16000-memory.dmp

Filesize
24KB

Download
memory/4928-2787-0x0000024D73C80000-0x0000024D73C8A000-memory.dmp

Filesize
40KB

Download
memory/4928-2813-0x0000024D73DE0000-0x0000024D73DE8000-memory.dmp

Filesize
32KB

Download
memory/4928-2812-0x0000024D73E30000-0x0000024D73E4A000-memory.dmp

Filesize
104KB

Download
memory/4928-2785-0x0000024D73BA0000-0x0000024D73BBC000-memory.dmp

Filesize
112KB

Download