f9e5fe3194d9734845dd782b8e41065577ed7628a112934f1a57599f8dd92209

Analysis

max time kernel
46s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 23:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Solaraexecutor.zip
Size

30.1MB
MD5

5b96ce8081bb025c4ad8ae12dc91e102
SHA1

8708c3a51d990a437a4fe003c1fe2bc39e2f65cb
SHA256

f9e5fe3194d9734845dd782b8e41065577ed7628a112934f1a57599f8dd92209
SHA512

39a5e646df49f5c45f24e6aa479dfb40302f939383fdad15d6e3d9de7819aac5a2ec5525fad46ead503fe94d97b11fa587aa0448051d78d37ee8f0f6fdaa146a
SSDEEP

786432:3mA77b6IpMM1QvHzoB/h4pUfbRgo0lJBrPCLaBzR8mHl0:X/b6OMM1QvM/4p8R30lju26m6

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1556	powershell.exe
1164	powershell.exe
3764	powershell.exe
2504	powershell.exe
3092	powershell.exe
3720	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
4792	Bootstraper.exe
1936	Bootstraper.exe
4004	Bootstraper.exe
3248	Bootstraper.exe

GoLang User-Agent 12 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	77	Go-http-client/1.1
HTTP User-Agent header	16	Go-http-client/1.1
HTTP User-Agent header	22	Go-http-client/1.1
HTTP User-Agent header	39	Go-http-client/1.1
HTTP User-Agent header	51	Go-http-client/1.1
HTTP User-Agent header	57	Go-http-client/1.1
HTTP User-Agent header	80	Go-http-client/1.1
HTTP User-Agent header	82	Go-http-client/1.1
HTTP User-Agent header	35	Go-http-client/1.1
HTTP User-Agent header	41	Go-http-client/1.1
HTTP User-Agent header	48	Go-http-client/1.1
HTTP User-Agent header	55	Go-http-client/1.1

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "59"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Bootstraper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Bootstraper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Bootstraper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Bootstraper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Bootstraper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Bootstraper.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3848	7zFM.exe
3848	7zFM.exe
3720	powershell.exe
3720	powershell.exe
1556	powershell.exe
1556	powershell.exe
1556	powershell.exe
1164	powershell.exe
1164	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
4584	sdiagnhost.exe
2504	powershell.exe
2504	powershell.exe
3092	powershell.exe
3092	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3848	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3848	7zFM.exe
Token: 35	3848	7zFM.exe
Token: SeSecurityPrivilege	3848	7zFM.exe
Token: SeSecurityPrivilege	3848	7zFM.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeIncreaseQuotaPrivilege	4332	wmic.exe
Token: SeSecurityPrivilege	4332	wmic.exe
Token: SeTakeOwnershipPrivilege	4332	wmic.exe
Token: SeLoadDriverPrivilege	4332	wmic.exe
Token: SeSystemProfilePrivilege	4332	wmic.exe
Token: SeSystemtimePrivilege	4332	wmic.exe
Token: SeProfSingleProcessPrivilege	4332	wmic.exe
Token: SeIncBasePriorityPrivilege	4332	wmic.exe
Token: SeCreatePagefilePrivilege	4332	wmic.exe
Token: SeBackupPrivilege	4332	wmic.exe
Token: SeRestorePrivilege	4332	wmic.exe
Token: SeShutdownPrivilege	4332	wmic.exe
Token: SeDebugPrivilege	4332	wmic.exe
Token: SeSystemEnvironmentPrivilege	4332	wmic.exe
Token: SeRemoteShutdownPrivilege	4332	wmic.exe
Token: SeUndockPrivilege	4332	wmic.exe
Token: SeManageVolumePrivilege	4332	wmic.exe
Token: 33	4332	wmic.exe
Token: 34	4332	wmic.exe
Token: 35	4332	wmic.exe
Token: 36	4332	wmic.exe
Token: SeIncreaseQuotaPrivilege	4332	wmic.exe
Token: SeSecurityPrivilege	4332	wmic.exe
Token: SeTakeOwnershipPrivilege	4332	wmic.exe
Token: SeLoadDriverPrivilege	4332	wmic.exe
Token: SeSystemProfilePrivilege	4332	wmic.exe
Token: SeSystemtimePrivilege	4332	wmic.exe
Token: SeProfSingleProcessPrivilege	4332	wmic.exe
Token: SeIncBasePriorityPrivilege	4332	wmic.exe
Token: SeCreatePagefilePrivilege	4332	wmic.exe
Token: SeBackupPrivilege	4332	wmic.exe
Token: SeRestorePrivilege	4332	wmic.exe
Token: SeShutdownPrivilege	4332	wmic.exe
Token: SeDebugPrivilege	4332	wmic.exe
Token: SeSystemEnvironmentPrivilege	4332	wmic.exe
Token: SeRemoteShutdownPrivilege	4332	wmic.exe
Token: SeUndockPrivilege	4332	wmic.exe
Token: SeManageVolumePrivilege	4332	wmic.exe
Token: 33	4332	wmic.exe
Token: 34	4332	wmic.exe
Token: 35	4332	wmic.exe
Token: 36	4332	wmic.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeIncreaseQuotaPrivilege	3020	wmic.exe
Token: SeSecurityPrivilege	3020	wmic.exe
Token: SeTakeOwnershipPrivilege	3020	wmic.exe
Token: SeLoadDriverPrivilege	3020	wmic.exe
Token: SeSystemProfilePrivilege	3020	wmic.exe
Token: SeSystemtimePrivilege	3020	wmic.exe
Token: SeProfSingleProcessPrivilege	3020	wmic.exe
Token: SeIncBasePriorityPrivilege	3020	wmic.exe
Token: SeCreatePagefilePrivilege	3020	wmic.exe
Token: SeBackupPrivilege	3020	wmic.exe
Token: SeRestorePrivilege	3020	wmic.exe
Token: SeShutdownPrivilege	3020	wmic.exe
Token: SeDebugPrivilege	3020	wmic.exe
Token: SeSystemEnvironmentPrivilege	3020	wmic.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3848	7zFM.exe
3848	7zFM.exe
3848	7zFM.exe
2548	msdt.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3848	LogonUI.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 4792	3848	7zFM.exe	84
PID 3848 wrote to memory of 4792	3848	7zFM.exe	84
PID 1936 wrote to memory of 3720	1936	Bootstraper.exe	104
PID 1936 wrote to memory of 3720	1936	Bootstraper.exe	104
PID 3720 wrote to memory of 1556	3720	powershell.exe	106
PID 3720 wrote to memory of 1556	3720	powershell.exe	106
PID 1936 wrote to memory of 4332	1936	Bootstraper.exe	107
PID 1936 wrote to memory of 4332	1936	Bootstraper.exe	107
PID 4004 wrote to memory of 1164	4004	Bootstraper.exe	111
PID 4004 wrote to memory of 1164	4004	Bootstraper.exe	111
PID 1164 wrote to memory of 3764	1164	powershell.exe	113
PID 1164 wrote to memory of 3764	1164	powershell.exe	113
PID 4004 wrote to memory of 3020	4004	Bootstraper.exe	114
PID 4004 wrote to memory of 3020	4004	Bootstraper.exe	114
PID 1844 wrote to memory of 2548	1844	pcwrun.exe	120
PID 1844 wrote to memory of 2548	1844	pcwrun.exe	120
PID 4584 wrote to memory of 1136	4584	sdiagnhost.exe	124
PID 4584 wrote to memory of 1136	4584	sdiagnhost.exe	124
PID 1136 wrote to memory of 2468	1136	csc.exe	125
PID 1136 wrote to memory of 2468	1136	csc.exe	125
PID 4584 wrote to memory of 4808	4584	sdiagnhost.exe	126
PID 4584 wrote to memory of 4808	4584	sdiagnhost.exe	126
PID 4808 wrote to memory of 4792	4808	csc.exe	127
PID 4808 wrote to memory of 4792	4808	csc.exe	127
PID 3248 wrote to memory of 2504	3248	Bootstraper.exe	130
PID 3248 wrote to memory of 2504	3248	Bootstraper.exe	130
PID 2504 wrote to memory of 3092	2504	powershell.exe	132
PID 2504 wrote to memory of 3092	2504	powershell.exe	132
PID 3248 wrote to memory of 5020	3248	Bootstraper.exe	133
PID 3248 wrote to memory of 5020	3248	Bootstraper.exe	133

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\7zO80FAF9B7\Bootstraper.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO80FAF9B7\Bootstraper.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:4792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4512

C:\Users\Admin\Desktop\New folder\Bootstraper.exe
"C:\Users\Admin\Desktop\New folder\Bootstraper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\";" powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Desktop\New folder\Bootstraper.exe\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\New folder\Bootstraper.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4332

C:\Users\Admin\Desktop\New folder\Bootstraper.exe
"C:\Users\Admin\Desktop\New folder\Bootstraper.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\";" powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Desktop\New folder\Bootstraper.exe\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\New folder\Bootstraper.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\New folder\Bootstraper.exe" ContextMenu
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW177B.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2548

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\idhtcwld\idhtcwld.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B34.tmp" "c:\Users\Admin\AppData\Local\Temp\idhtcwld\CSC8382A4A55F1147A4A27E2AEC32CA2CFF.TMP"
    3⤵
    PID:2468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\abyq1byt\abyq1byt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BB1.tmp" "c:\Users\Admin\AppData\Local\Temp\abyq1byt\CSC225411C07206426CBEE44ED670D13D57.TMP"
    3⤵
    PID:4792

C:\Users\Admin\Desktop\New folder\Bootstraper.exe
"C:\Users\Admin\Desktop\New folder\Bootstraper.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\";" powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Desktop\New folder\Bootstraper.exe\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\New folder\Bootstraper.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3092
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get uuid
  2⤵
  PID:5020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38dc855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024121023.000\PCW.debugreport.xml

Filesize
2KB

MD5
32a7fcdb75acdf74ed4bfb8f0400455b

SHA1
008f7895bba7cc8adb727fd605f881e069199abe

SHA256
40aa7031e0d4f3bffb772e354bc2f30265c876d1a93542d9e347f02abe6ddfc6

SHA512
c92a944188e3d8880874d5e93fc12fa7632c11f9a2559acf19839c2015807ea29e9cbdf6b265a6063d4d3c135ccb8439c1942095a8f50bdae6ce5a10985839d1

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024121023.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cdf377d6ccb37f23eb0d1b83c9651f6f

SHA1
57b69a176a9943dab57f237206120470e8de1b14

SHA256
487db2efc663739a59036e932ce3ef343ff828f3776abfa614bdb045929646ee

SHA512
3df9d83489a53b91a762ac9729a8a526d54986ad403ca61453feb7a388404fd638b3a37d5fd9bde12f4153a137cd18178fbae4b8b7f8b730f91e60debf8d9ee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
560B

MD5
ff0612d8c4c11d8e6c8acb29f13d5a43

SHA1
87551789767a2c5059042ea3af190c2ffd62e035

SHA256
ed6f7e870054d96362a685e0fa0a6777e0a89d66ee583c5577552ada0fe9d3d1

SHA512
e6625f422885ab78b3b039b44a6a0f338c5997f705ec513b6bfffa6c50e45863cf435aeb8a77cbc99aea05255e14294827306f0113a9c96020adda85ddefc472

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCW177B.xml

Filesize
738B

MD5
81a53c6cfd92cb1d62617b2e1ba637c6

SHA1
65ad01de47bc6935e64d0e678cad11ce0866915f

SHA256
aa7a5a2fe06fa86446e51c4790e42dfb004e1b6f6161e5633939553cec326df7

SHA512
cf81f1f8f4d259d880e1c88c27dd993c5901cc71ef6d3a88a247ab20b054015c8f8180c51c8fb0f685fa9934350a9594babfe349ab8ba3c289a4af712b6fbb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1B34.tmp

Filesize
1KB

MD5
8ff5f903beb36e5b125d98c2da36a03e

SHA1
153e157a9e43ff34f3b093a1aea8499017a031ce

SHA256
2c75dc61815dab4fcfb77c870a44128ae7e3a45d9291955f15cbc4be6ac5ae7b

SHA512
2f9f79378c3c837093abc070bb3795fa83c5dd138bbb161b400052c2f2edaf961678829d44b1dbb02f6509b5cc80bc629c9901a5de3749f75b6b6e0bd453aa98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1BB1.tmp

Filesize
1KB

MD5
77952228ff23493ff4a8872fe558ef46

SHA1
4255ed474cba3dbdfef4193d7ab740f937140288

SHA256
ceb558436b6e92348fb6a19fc9030f2fb044b90133b91e9b576541b171bf2221

SHA512
dc4aa24b06a6af4748a0bd1323d7a4f48e5d310e8dc64ea90a93b4b68979a1963523e2b1f3e3f6396a0daa1c39ceff0cd9941d5ce8822c256a1579d40725f8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zbosceul.owv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abyq1byt\abyq1byt.dll

Filesize
3KB

MD5
52814de4d16596875db842a137a0239b

SHA1
207e2ed1cb9afbbe8c162420ff3633e4836dae24

SHA256
4ae8f86eac5218a7b5c0e5e739b8d2e3406f907b09b37e8cf70a74eb540354b0

SHA512
f43f25874bfed70db081d30ac41d59d31cf5231356e439fdb6724d5126327c45580b8ce7e6f62e6ec68efecaef6607f0abb5aa6852117d12d04e6cce5f1d6213

Download Submit
C:\Users\Admin\AppData\Local\Temp\idhtcwld\idhtcwld.dll

Filesize
5KB

MD5
d933f9437691f9333c5c324a55de649d

SHA1
88883d60cee7bae26a41d2c2df201ec81325d420

SHA256
23a7a76c286c2ce40db29b49010c1b93d4fe06b247a5e7af54140769d665f44e

SHA512
e4ad378fa93b827d97261c25070e360cd5c105208967a25de6011109b9d2450a85be24bafe263f812f736076c4b007cd00729f9fa10390a236ed9834cbe8de40

Download Submit
C:\Windows\TEMP\SDIAG_cf5671fd-6505-4a80-bf29-734751f5696a\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_cf5671fd-6505-4a80-bf29-734751f5696a\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
2c81a148f8e851ce008686f96e5bf911

SHA1
272289728564c9af2c2bd8974693a099beb354ad

SHA256
1a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437

SHA512
409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb

Download Submit
C:\Windows\Temp\SDIAG_cf5671fd-6505-4a80-bf29-734751f5696a\DiagPackage.dll

Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_cf5671fd-6505-4a80-bf29-734751f5696a\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\abyq1byt\CSC225411C07206426CBEE44ED670D13D57.TMP

Filesize
652B

MD5
5ec06bc637fea695049196412eeddb3c

SHA1
5e1f9c275b04132c09288b992a68efe35fb435a0

SHA256
76b3613f9dd1b0e53cd5930c717ebd788c54b777dfe31737ace10c18086ec922

SHA512
2bf2de2e4f6bdd3396d23678dd52ddc98b3c9d87ef550e238233f60324138aad51af1ef6214187d43304d84e05fa6d63086b92c40b0ae42cb8a90646f19c6ee6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\abyq1byt\abyq1byt.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\abyq1byt\abyq1byt.cmdline

Filesize
356B

MD5
e0ac053895730007964bc88aee2b7a3d

SHA1
5b40d4e38e078f5d2d6dd3aec7360374641240be

SHA256
6892ea9318d035fe678403c158110d970e2d8d62831f5b906836b9f3e7a01357

SHA512
4b5fe77208d5111b0c667ed1c046ddf8d4874bea2d5b3d813ab64554d9bccc02750630876745c10b5802de4d9b1149b18764bb9f6cae56a86fba617b72e578f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idhtcwld\CSC8382A4A55F1147A4A27E2AEC32CA2CFF.TMP

Filesize
652B

MD5
290ec6e3b183bcc7c4051558692d3396

SHA1
9978f158a06d6052f456aafb621a56e31c6ece13

SHA256
065daeda74fc7b06acd629a50f92ce185c3130452881283708fb1732f17a19aa

SHA512
ab1c1b193fab5be6fd59a724fc8f5a15955421c1f4979e4f997118dd5b3486c7dd5d475fd7bdaacd80deaab59424b0dc00c0aa74baf2cac9ce8f5d7148613fb2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idhtcwld\idhtcwld.0.cs

Filesize
5KB

MD5
fc2e5c90a6cb21475ea3d4254457d366

SHA1
68f9e628a26eb033f1ee5b7e38d440cfd598c85d

SHA256
58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77

SHA512
c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idhtcwld\idhtcwld.cmdline

Filesize
356B

MD5
14c808d4f71e1be914c9150a0e839434

SHA1
00bb16e793bf96418f9d5b4814b6da075d9122ce

SHA256
01503ee0933a0a2c5b2beb684d299186c8eaaa852aa769088253b28a0c32f221

SHA512
5d60525d8870663ac599a57318b9fc6a747c659779d471af0d64cbb2cc533d709981095734d93d6c2da75ac0213a4e6f7ffc74aeff6337bab1ba88cb514eea9e

Download Submit
memory/3720-15-0x00000268FC1C0000-0x00000268FC1E2000-memory.dmp

Filesize
136KB

Download
memory/4584-240-0x000001C29D7B0000-0x000001C29D7B8000-memory.dmp

Filesize
32KB

Download
memory/4584-226-0x000001C29D770000-0x000001C29D778000-memory.dmp

Filesize
32KB

Download