Malware Analysis Report

2024-10-19 06:38

Sample ID 241013-qxk83ayhjg
Target Solara.exe
SHA256 4960838a390adf1ea412850ca14f15ce7c201fa967c0089df97742ee517ed0fe
Tags
gurcu xworm bootkit discovery execution persistence privilege_escalation ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4960838a390adf1ea412850ca14f15ce7c201fa967c0089df97742ee517ed0fe

Threat Level: Known bad

The file Solara.exe was found to be: Known bad.

Malicious Activity Summary

gurcu xworm bootkit discovery execution persistence privilege_escalation ransomware rat stealer trojan

Xworm

Detect Xworm Payload

Gurcu, WhiteSnake

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Modifies system executable filetype association

Checks computer location settings

Drops startup file

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy WMI provider

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 13:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 13:38

Reported

2024-10-13 13:55

Platform

win10v2004-20241007-en

Max time kernel

1027s

Max time network

1025s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oyowkx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TrojanXD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\system32\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\TrojanXD.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0280-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0182-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002442B-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.ogv\AppX6eg8h5sxqq90pv53845wmnbewywdqq5h C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PolicyCache\Microsoft.WindowsMaps_8wekyb3d8bbwe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{769ADDEF-E3D4-3EEF-B2B4-8F5B21BD06C6}\15.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40673495-3AEF-45C5-9AC2-F2D13C953301}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.dib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Picture.8\Protocol C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{767A19A0-3CC7-415B-9D08-D48DD7B8557D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30590078-98B5-11CF-BB82-00AA00BDCE0B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E322340-E4A8-4292-9D52-24E5B7B08253}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\ActivatableClassId C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002094F-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0167-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Picture.6\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30590079-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefTfFunctionProvider.1.0\CurVer C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.heif\ShellEx C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B69D88F9-BC5A-4EB3-A43C-9AF3155F0632}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0048-ABCDEFFEDCBC} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{56B1CCCB-6490-396D-8C09-2257259F3CAA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC098A45-913B-4914-B6C3-AE6304593E75}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C030E-0000-0000-C000-000000000046}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75CB4DB9-6DA0-4DA3-83CE-422B6A433346} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CID\f238900f-f070-4e50-96a8-a1da692cd727\Host C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\Protocol\StdFileEditing\RequestDataFormats C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{cdf2d6a5-df11-47c0-850e-62f342410c53} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2B45394F-79B0-44E0-93C4-82B06AD9D4C1}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.ppsx\ShellEx\PropertyHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\evtxfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0375-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0341-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84054849-4B50-5635-BCC9-76273A3C5007}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.oasis.opendocument.text C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6299711A-E372-36AB-A8AB-129031BFD9B9}\15.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WordDocument\Protocol\StdFileEditing C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.scd\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.wri C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB10-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3883C8B9-FF24-4571-A867-09F960426E14} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002094D-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30217F3C-E8FA-416B-ABA6-BF0BD3B79321} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020811-0000-0000-C000-000000000046}\ProgID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.System.Music.Artist C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1724-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.inf C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.TS\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0FD8B8E-66EA-45D6-A10A-81E74453733A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0376-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\DataFormats\GetSet\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F283-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\AuxUserType C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TrojanXD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TrojanXD.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe
PID 3868 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe
PID 3868 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
PID 3868 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
PID 692 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\schtasks.exe
PID 692 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Windows\System32\schtasks.exe
PID 692 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 692 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 4516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe

"C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe"

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV21.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc865446f8,0x7ffc86544708,0x7ffc86544718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\fontview.exe

"C:\Windows\System32\fontview.exe" C:\Users\Admin\Downloads\SuspendCompare.otf

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Local\Temp\oyowkx.exe

"C:\Users\Admin\AppData\Local\Temp\oyowkx.exe"

C:\Users\Admin\AppData\Local\Temp\TrojanXD.exe

"C:\Users\Admin\AppData\Local\Temp\TrojanXD.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k reg delete HKCR /f

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Hamster.mp3"

C:\Windows\system32\reg.exe

reg delete HKCR /f

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x39c 0x49c

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 getsolara.dev udp
US 172.67.203.125:443 getsolara.dev tcp
US 8.8.8.8:53 125.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 127.0.0.1:6463 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:1764 tcp
US 8.8.8.8:53 cash-hispanic.gl.at.ply.gg udp
US 147.185.221.23:1764 cash-hispanic.gl.at.ply.gg tcp
US 8.8.8.8:53 23.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 147.185.221.23:1764 cash-hispanic.gl.at.ply.gg tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 147.185.221.23:1764 cash-hispanic.gl.at.ply.gg tcp
US 147.185.221.23:1764 cash-hispanic.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe

MD5 b3a1a7ef45c3a920f515adc541ee75f4
SHA1 fa69e1c57709dfa076e792509e6c77d297e47664
SHA256 5cb0406be361324ecaeaa54238d82b24dffdfff8ae35dd2a59301e83e71d9d79
SHA512 8628cbac85e04d9f0ada20e6f46c74d3e22edda7095043e1f61bcfd7836b54f29f4dde6de6c72309fd8f7cf66a2d69d1fe7288914a213c35b1d40f7d98e4271c

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

MD5 4b94b989b0fe7bec6311153b309dfe81
SHA1 bb50a4bb8a66f0105c5b74f32cd114c672010b22
SHA256 7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659
SHA512 fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d

memory/692-22-0x00007FFC760A3000-0x00007FFC760A5000-memory.dmp

memory/692-23-0x0000000000860000-0x000000000087A000-memory.dmp

memory/2688-26-0x000001B008C00000-0x000001B008CCE000-memory.dmp

memory/2688-27-0x00007FFC760A0000-0x00007FFC76B61000-memory.dmp

memory/2688-30-0x00007FFC760A0000-0x00007FFC76B61000-memory.dmp

memory/452-36-0x000002237A890000-0x000002237A8B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_15buyqhh.4qk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 07ab6cc81c5230a598c0ad1711b6bd97
SHA1 de7e270e12d447dfc5896b7c96777eb32725778a
SHA256 900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3
SHA512 ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b3bc9ca267ea2969eb6201d77e58560c
SHA1 78f83a443aa1ca235edcab2da9e2fda6fecc1da4
SHA256 7ea18b6f900f2c30a5c34845d62d4fe9fc1f11e40714b3dbd69592cbfb5dc695
SHA512 8cc70e4f88f3d9f59beec22dafdb403144f7f390250205e08279a2f8e01e783af44ae31aa4a8a7ea05865b05303ac5e5048f7fb44488be538d9701b6195e9b28

memory/692-81-0x00007FFC760A0000-0x00007FFC76B61000-memory.dmp

memory/692-82-0x00007FFC760A0000-0x00007FFC76B61000-memory.dmp

memory/692-86-0x000000001B5D0000-0x000000001B5DC000-memory.dmp

memory/692-88-0x0000000002990000-0x000000000299C000-memory.dmp

C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 db11d0f1cfa068b6e9e446ad575e19a5
SHA1 2a231b1b0e2d96e3df3a48d5f1578f0af6444c21
SHA256 46ca0aaa44cee88be393eb445e970f9849ded8fb99b4f8cf707e12358ff2eaa8
SHA512 e59c233fc47a44c9303c90a427cdf645348eb74c62e64284dad01665289c01f90cd7677c9b101f0855329cd7d29547a0443d253a6effdb1393fcb24f1549e14b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

\??\pipe\LOCAL\crashpad_3972_HVGCQEECLEPENDPU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 719cec0af15c9541c12e6f12673323ec
SHA1 04dc95ccaf7714569d120b01d488c52553c3faf0
SHA256 f129e6f63721dadc5222683d13b33e32d5ad65a6b5a36df3464177a0f4f94141
SHA512 8538ef90410e7254fa6fb83cb87077bcbbac43a0e01a7719c30dca2e9df0b807ca0b5be40db76450e04745a7c072bbec63f5cb286a0527690e11cc0ba607e935

C:\Users\Admin\Desktop\How To Decrypt My Files.html

MD5 2abb0c0187d8d8a532e656c378c5d197
SHA1 b9a5bcc295b6883547102ab307302295e4feb214
SHA256 cadde1cd76cc3dbc5bd41e12eab2c426a0dd422194175c1d7267c8ba16592749
SHA512 3ca0db778c0c85cb89dce61997ce474077b8264e3916abc1cd76ed21dc472a54158c902303e959461bc78b8bde7a9e184776693402a28a689a44fa75a948d4fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a623880bc9e7fa386cda37fd4fb5f16f
SHA1 9e36e3b80d0cf82826c71cde3fd565dea594332e
SHA256 2d962ca4806ecc0f018356a76c3da9f031702f09a1d92b4c8f95f37098f0c723
SHA512 9233575763d61805f6deed9aac53fc94c7131c49663c7b1a3fd95d1524eb4b9f21f3ff8fcc61ce5be811d8c79e8d5f4df447f13e01e158ed3dbf11ada33ad62c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 93ebcaa39ab7655044332cdd1fea1837
SHA1 6e132c694a364b660ae1287de1efa6d62fdb1d62
SHA256 8a77b1ff8a44c0ab434cc319bb8695c72b7854697d1772a09ff4a4bc9df2a64f
SHA512 d0ea8a6898ead1688aa37d3ca8104222193766f202b82f0a7aabb094e33017a32b715bb91b86785f41da09cb1d9a1aaceed7e22ca427e8efe7b5ac2433a5958f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\Downloads\SuspendCompare.otf

MD5 500cfb1051537b1574b08671b47ceeeb
SHA1 daeab83ee4cb2e94e5f50128ade8acecf4a1a20d
SHA256 e009d9bcee84245108bfcca69fc8ff1f3f43c2e9ef31d6dca9d4140eea686ceb
SHA512 f718b99f5da7a52d8361181aa93581e6cafaf12c2383f9f091357de062cb34bc9a96210de64f47539a405136ab27d108fb3bfdfe5266de55946c36b7654f1df4

C:\Users\Admin\AppData\Local\Temp\oyowkx.exe

MD5 bd950f6c677cd5e6c0d39fe8e6543e37
SHA1 4f24cb7586abdcdb6791d857e52d16e352eed09a
SHA256 b518bffc32040e3c830ecb74fe2b16ae24f8ba22f4730e05221e9dcdb452235d
SHA512 76ce2774d482811c378739532fdb40ec491ac32a4984b8df67340cf9994f5e35ee8bb1045ebd379413d9dce264defdadf0f15c91f8fce7febbadade8d3dc3946

memory/692-931-0x000000001BB60000-0x000000001BBEE000-memory.dmp

C:\Users\Admin\Saved Games\desktop.ini

MD5 b441cf59b5a64f74ac3bed45be9fadfc
SHA1 3da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256 e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512 fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

C:\Users\Admin\Links\desktop.ini

MD5 3b960da228cc489b622697659c885d64
SHA1 00686a12f1a43501f6eea2140da9be141a11bd3b
SHA256 a4234e2cf44c57609fd7cb0f9f0a33ee136b542fba5121ac02d85b38fb2ea02d
SHA512 3cc46f016865b3d541506cb15d7b22c83e1434bf73de23b158101aff08532eac29a6d9709060e9681cbeb375e2f843497ce80c3085579a8266c7f22b9567efd6

C:\Users\Admin\Favorites\desktop.ini

MD5 881dfac93652edb0a8228029ba92d0f5
SHA1 5b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256 a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

C:\Users\Admin\Contacts\desktop.ini

MD5 449f2e76e519890a212814d96ce67d64
SHA1 a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd
SHA256 48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7
SHA512 c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

C:\Users\Admin\Searches\desktop.ini

MD5 089d48a11bff0df720f1079f5dc58a83
SHA1 88f1c647378b5b22ebadb465dc80fcfd9e7b97c9
SHA256 a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17
SHA512 f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8

C:\Users\Admin\OneDrive\desktop.ini

MD5 c193d420fc5bbd3739b40dbe111cd882
SHA1 a60f6985aa750931d9988c3229242f868dd1ca35
SHA256 e5bfc54e8f2409eba7d560ebe1c9bb5c3d73b18c02913657ed9b20ae14925adc
SHA512 d983334b7dbe1e284dbc79cf971465663ca29cec45573b49f9ecdb851cdb6e5f9a6b49d710a1553bdae58c764887c65ba13fd75dfdd380c5c9ef9c0024aa3ef0

C:\Users\Admin\Downloads\desktop.ini

MD5 3a37312509712d4e12d27240137ff377
SHA1 30ced927e23b584725cf16351394175a6d2a9577
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512 dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

C:\Users\Admin\Videos\desktop.ini

MD5 50a956778107a4272aae83c86ece77cb
SHA1 10bce7ea45077c0baab055e0602eef787dba735e
SHA256 b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978
SHA512 d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a

C:\Users\Admin\Pictures\desktop.ini

MD5 29eae335b77f438e05594d86a6ca22ff
SHA1 d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA256 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA512 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

C:\Users\Admin\Music\desktop.ini

MD5 06e8f7e6ddd666dbd323f7d9210f91ae
SHA1 883ae527ee83ed9346cd82c33dfc0eb97298dc14
SHA256 8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68
SHA512 f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98

C:\Users\Admin\Documents\desktop.ini

MD5 ecf88f261853fe08d58e2e903220da14
SHA1 f72807a9e081906654ae196605e681d5938a2e6c
SHA256 cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA512 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

C:\Users\Admin\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\Users\Admin\AppData\Local\Temp\TrojanXD.exe

MD5 9776b41cc11329e32ca35a161f0af774
SHA1 307fa631ef36f00540c27565bf6adaec8ed4ceef
SHA256 c982e9c712dd27f31cc419ec6b420238e83587b6e021da256568c9237d01944c
SHA512 172585383a63b99693ca386f683055e92152c28cd0e9a3c643dfa61a4147cc600ca69d7b79093217f0cc020590614c88fa8df8026dacfb8b6eeb7eb1bed65487

memory/3332-967-0x000001B8B6600000-0x000001B8B660A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\script.vbs

MD5 92532347e1ab8bddbf09a71a1ca7f808
SHA1 dd765c6e8b69f52895fe92f32fd6b8817ce2a3ee
SHA256 5a5395c770d86eecd51da9c8612ad27e0bb85359788a64af8cb5e380362de4a7
SHA512 481a5188d5fa2a512cd101c909a580af61795406c9df9a32066e2084538779ffa909ab6e484afdd7086b07491a3f95b9cd84ad47b02454a0e9c38c35eca1c342

C:\Users\Admin\AppData\Local\Temp\Hamster.mp3

MD5 1a7155c17d58427879fbcee961df0faf
SHA1 655d78a73fd07c97eaa06a4a358419af8719d630
SHA256 2c716f935bff0b8cde906f2144c91fb70dcc5914c11c54423f3f10290a1795b7
SHA512 1f75e168d8c61f45c3635a0a38627ca2f8ccbf89971eaa43212d97bcd42fea012428eb61660b1acc0d2ef0c90d9b6eb6d3a2b066470cb3709323cc4c8ad554e4

memory/4328-975-0x00007FF72E390000-0x00007FF72E488000-memory.dmp

memory/4328-976-0x00007FFC86E40000-0x00007FFC86E74000-memory.dmp

memory/4328-979-0x00007FFC8D990000-0x00007FFC8D9A7000-memory.dmp

memory/4328-981-0x00007FFC86D60000-0x00007FFC86D77000-memory.dmp

memory/4328-984-0x00007FFC869B0000-0x00007FFC869C1000-memory.dmp

memory/4328-983-0x00007FFC869D0000-0x00007FFC869ED000-memory.dmp

memory/4328-991-0x00007FFC861C0000-0x00007FFC861D1000-memory.dmp

memory/4328-995-0x00007FFC82520000-0x00007FFC82537000-memory.dmp

memory/4328-994-0x00007FFC85D80000-0x00007FFC85D9B000-memory.dmp

memory/4328-993-0x00007FFC85EC0000-0x00007FFC85ED1000-memory.dmp

memory/4328-992-0x00007FFC86150000-0x00007FFC86161000-memory.dmp

memory/4328-990-0x00007FFC86990000-0x00007FFC869A8000-memory.dmp

memory/4328-989-0x00007FFC861E0000-0x00007FFC86201000-memory.dmp

memory/4328-985-0x00007FFC71340000-0x00007FFC7154B000-memory.dmp

memory/4328-988-0x00007FFC86210000-0x00007FFC86251000-memory.dmp

memory/4328-982-0x00007FFC86A80000-0x00007FFC86A91000-memory.dmp

memory/4328-980-0x00007FFC89C80000-0x00007FFC89C91000-memory.dmp

memory/4328-977-0x00007FFC76D50000-0x00007FFC77006000-memory.dmp

memory/4328-978-0x00007FFC8DD70000-0x00007FFC8DD88000-memory.dmp

memory/4328-998-0x00007FFC76D50000-0x00007FFC77006000-memory.dmp